Seventy gigabytes' worth of customer data stolen from the website of U.S. men's clothing retailer Bonobos has been posted in a hacker forum, reports Bleeping Computer (opens in new tab).
The data includes the names and telephone numbers associated with up to 7 million customers or orders, 3.5 million records containing the last four digits of credit card numbers, and account information for 1.8 million customers, including passwords encrypted with the SHA-256 and SHA-512 hashing algorithms.
- Google Chrome just got a big upgrade to help you with password hell
- The best password managers to protect your accounts
- Plus: 2.3 million hit by dating site data breach — what to do
One person who got hold of the stolen data said they had already "cracked" more than 150,000 passwords encrypted with SHA-256, the weaker algorithm of the two.
(This has nothing to do with the French retailer Bonobo, which sells casual clothing to both men and women.)
If you have a Bonobos customer account, change its password immediately. If you've used the same username and password on other websites, change the passwords on those sites as well to protect yourself from credential-stuffing attacks.
Make every new password strong and unique. One of the best password managers will help you sort all that out.
Bonobos confirmed to Bleeping Computer that the data was genuine, but said it had been taken from a cloud backup hosted by a third-party service and not directly from Bonobos' own network.
"So far, [we] have found no evidence of unauthorized parties gaining access to Bonobos' internal system," the company told Bleeping Computer. "What we have discovered is an unauthorized third party was able to view a backup file hosted in an external cloud environment. We contacted the host provider to resolve this issue as soon as we became aware of it."
The company also said it would be forcing password resets for any account for which the password was compromised.
"We're emailing customers to notify them that their contact information and encrypted passwords may have been viewed by an unauthorized third party," Bonobos told Bleeping Computer. "Payment information was not affected by this issue."
Data goes back several years
It's not clear when the data was stolen, but screenshots of the stolen data posted on Bleeping Computer indicated it was at least as old as 2014 (three years before Walmart bought the Bonobos company) and as recent as July 2020.
Nevertheless, if you've ever shopped at the Bonobos website, go over your recent credit-card statements and let your card issuer know right away if anything looks wrong.
Bonobos apparel can also be purchased on the Walmart website, and it was formerly available on Walmart's now-shuttered subsidiary Jet.com. But it does not appear that data from either of those sites was compromised.
Update: Bonobos statement
A spokesperson for Bonobos reached out to Tom's Guide and provided the following statement:
"To clarify, 7 million customers were not impacted. Rather, a total of 7 million addresses were visible. Customers often ship to more than one address, or use a different billing address, but again, this does not mean 7 million customers were impacted. In fact, the number was far less."