Up to 700 Million Data Breaches in Bonobos: What to Do [Update]

Up to 700 Million Data Breaches in Bonobos: What to Do [Update]

70 gigabytes worth of customer data stolen from the website of US men's clothing retailer Bonobos was posted on a hacker forum, Bleeping Computer reported

The data includes 35 million records containing names and phone numbers associated with up to 7 million customers or orders, the last four digits of credit card numbers, and account information for 18 million customers, including passwords encrypted with SHA-256 and SHA-512 hashing algorithms

Stolen

One person who obtained the stolen data said he had already "cracked" more than 150,000 passwords encrypted with SHA-256, the weaker of the two algorithms

(This has nothing to do with Bonobo, a French retailer that sells casual clothing for both men and women)

If you have a Bonobos customer account, please change your password immediately If you use the same username and password for other websites, change the passwords for those sites as well to protect yourself from credential stuffing attacks

Make all new passwords strong and unique The best password managers will help you keep your passwords organized

Bonobos confirmed to Bleeping Computer that the data was authentic, but said it was taken from a cloud backup hosted by a third-party service, not directly from Bonobos' own network

"So far, we have found no evidence that an unauthorized third party has accessed Bonobos' internal systems," the company told Bleeping Computer What we have found is that unauthorized third parties have been able to view backup files hosted in an external cloud environment As soon as we became aware of this issue, we immediately contacted the host provider to resolve the issue"

The company also said it would enforce password resets on accounts whose passwords were compromised

"We are notifying customers via email that their contact information and encrypted passwords may have been viewed by unauthorized third parties," Bonobos told Bleeping Computer Payment information has not been affected by this issue"

It is not clear when the data was stolen, but screenshots of the stolen data posted on Bleeping Computer indicated that it was at least as recent as 2014 (three years before Wal-Mart acquired Bonobos) and as recent as July 2020

Nevertheless, if you have ever shopped at the Bonobos website, check your recent credit card statements and notify your card issuer immediately if you see anything odd

Bonobos apparel is also available on Wal-Mart's website and was previously available on Wal-Mart's now-shuttered subsidiary Jetcom However, no data from either site appears to have been compromised

A Bonobos spokesperson contacted Tom's Guide and issued the following statement:

"To be clear, 7 million customers were not affected; 7 million customers were not affected Customers often ship to multiple addresses or use different billing addresses, but that does not mean that 7 million customers were affected In fact, that number was much smaller"

Categories