Data breach at Bonobos hits up to 7 million: What to do [updated]

A Bonobos retail store in New York City.
(Image credit: NYCStock/Shutterstock)

Seventy gigabytes' worth of customer data stolen from the website of U.S. men's clothing retailer Bonobos has been posted in a hacker forum, reports Bleeping Computer

The data includes the names and telephone numbers associated with up to 7 million customers or orders, 3.5 million records containing the last four digits of credit card numbers, and account information for 1.8 million customers, including passwords encrypted with the SHA-256 and SHA-512 hashing algorithms. 

One person who got hold of the stolen data said they had already "cracked" more than 150,000 passwords encrypted with SHA-256, the weaker algorithm of the two.

(This has nothing to do with the French retailer Bonobo, which sells casual clothing to both men and women.)

If you have a Bonobos customer account, change its password immediately. If you've used the same username and password on other websites, change the passwords on those sites as well to protect yourself from credential-stuffing attacks

Make every new password strong and unique. One of the best password managers will help you sort all that out.

Stolen backup

Bonobos confirmed to Bleeping Computer that the data was genuine, but said it had been taken from a cloud backup hosted by a third-party service and not directly from Bonobos' own network.

"So far, [we] have found no evidence of unauthorized parties gaining access to Bonobos' internal system," the company told Bleeping Computer. "What we have discovered is an unauthorized third party was able to view a backup file hosted in an external cloud environment. We contacted the host provider to resolve this issue as soon as we became aware of it."

The company also said it would be forcing password resets for any account for which the password was compromised.

"We're emailing customers to notify them that their contact information and encrypted passwords may have been viewed by an unauthorized third party," Bonobos told Bleeping Computer. "Payment information was not affected by this issue."

Data goes back several years

It's not clear when the data was stolen, but screenshots of the stolen data posted on Bleeping Computer indicated it was at least as old as 2014 (three years before Walmart bought the Bonobos company) and as recent as July 2020. 

Nevertheless, if you've ever shopped at the Bonobos website, go over your recent credit-card statements and let your card issuer know right away if anything looks wrong.

Bonobos apparel can also be purchased on the Walmart website, and it was formerly available on Walmart's now-shuttered subsidiary Jet.com. But it does not appear that data from either of those sites was compromised.

Update: Bonobos statement

A spokesperson for Bonobos reached out to Tom's Guide and provided the following statement:

"To clarify, 7 million customers were not impacted. Rather, a total of 7 million addresses were visible. Customers often ship to more than one address, or use a different billing address, but again, this does not mean 7 million customers were impacted. In fact, the number was far less."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.