J.Crew Disables User Accounts After Credential Stuffing Attack
J.Crew has disclosed that they suffered a credential stuffing attack in April of 2019 that has resulted in customers’ accounts and information being compromised. Credentials stuffing is when hackers use large collections of username/password combinations purchased on dark web markets that were previously leaked. This kind of attack relies on users repeating the same email and password combinations for multiple different accounts.
J.Crew boasts 182 retail stores, 140 Madewell stores, and 170 factory stores as well as websites for each of these branches. J.Crew stated that it discovered the breach through routine web scanning and noticed that an unauthorized party was able to log in to their jcrew.com accounts. The information that was potentially compromised includes the last four digits of credit card numbers, expiration dates, card types and billing addresses connected to those cards.