Article Details
Scrape Timestamp (UTC): 2024-03-07 00:29:55.966
Original Article Text
Click to Toggle View
PetSmart warns of ongoing credential stuffing attacks. Pet retail giant PetSmart is warning some customers their passwords were reset due to an ongoing credential stuffing attack attempting to breach accounts. PetSmart is the largest retailer in the US, focusing on pets and associated products, with over 60 million customers and 1,600 stores nationwide. In new email notifications sent to PetSmart customers first seen by DarkWebInformer, the company warns that customers are being targeted by credential stuffing attacks used to gain access to their accounts. PetSmart reset passwords for any accounts logged in during the credential stuffing attacks to be safe as they could not determine if the logged in user was the account owner or the hackers. "We want to assure you that there is no indication that petsmart.com or any of our systems have been compromised," reads the PetSmart email alert. "Instead, our security tools saw an increase in password guessing attacks on petsmart.com, and during this time your account was logged into. While the log in may have been valid, we wanted you to know." "In an abundance of caution to protect you and your account, we have inactivated your password petsmart.com. The next time you visit petsmart.com, simply click the "forgot password" link to reset your password." A credential stuffing attack is when threat actors collect login credentials exposed in data breaches and then use those credentials to try to log into other sites. Once a threat successfully breaches an account, they are used for malicious behavior, including making fraudulent purchases, sending spam, or launching other attacks. More commonly, the threat actors sell the breached accounts to others, who use them to make purchases, cash in rewards points, or steal money. Other companies hit in the past with credential stuffing attacks include PayPal, Spotify, Xfinity, and Chick-fil-A, and with more damaging losses, FanDuel and DraftKings. In May 2023, an 18-year-old was charged with hacking 60,000 DraftKings betting accounts and selling them on a stolen account marketplace called the Goat Shop. While DraftKings initially stated only $300,000 was stolen via the attacks, the Department of Justice later revealed that $600,000 was stolen from 1,600 compromised accounts.
Daily Brief Summary
PetSmart issued warnings to certain customers about a credential stuffing attack targeting their accounts.
The pet retail giant has reset passwords for accounts accessed during the attack due to the inability to confirm the legitimacy of the logins.
Email notifications sent to customers state there is no evidence of a breach on PetSmart's systems but increased password guessing attempts were detected.
Customers affected by the precautionary password reset need to use the "forgot password" function to regain access to their accounts on the company's website.
Credential stuffing involves using leaked login details from other breaches to gain unauthorized access to accounts on different services.
Successful attacks can lead to fraudulent purchases, spam, or other malicious activities; compromised accounts often end up for sale on the dark web.
Past victims of similar attacks include significant businesses like PayPal, Spotify, and FanDuel, the latter having $600,000 stolen from breached accounts.