Incident Of The Week: Uniqlo Suffers Credential Stuffing Cyber Attack

Fast Retailing is the company behind multiple Japanese retail brands including Uniqlo, which it confirmed in an official statement, is the latest victim to a credential stuffing attack. The company said that from April 23 to May 10, 2019, there was fraudulent login to 461,091 accounts [so far as it is still under investigation].

See Related: “Dunkin’ Donuts Reports Credential Stuffing Attack”

According to the statement, “We deeply apologize to our customers and stakeholders for any inconvenience or concern. We will strive to further enhance security and ensure safety so that similar events do not occur.”

What are the Attack Details Known So Far?

The number of customer accounts for which unauthorized login has been confirmed: UNIQLO official online store-Gyu registered 461,091 items.

The personal information of customers who may have been browsed:

• Customer's name (first name, last name, phonetic).
• Customer's address (zip code, city, county, street address, room number).
• Phone number, mobile phone number, e-mail address, gender, date of birth, purchase history, name and size registered in My Size.
• Shipping name (first name, last name, address), phone number.
• Part of credit card information (card holder, expiration date, part of credit card number). Credit card numbers are hidden except for the first four digits and the last four digits. CVV numbers (credit card security codes) are not displayed or stored, so there is no possibility of leakage.

Once the company identified the communication origin where unauthorized login was attempted, it blocked access, and strengthened monitoring on other accesses. For the 461,091 user IDs where personal information may have been viewed, the password has been invalidated on May 13, and e-mails were sent asking customers to reset passwords. In addition, the case was reported to the Tokyo Metropolitan Police Department.

See Related: “Weak Passwords Are Costing Enterprises Millions”

Fast Retailing urges its customers using its online store site to cooperate by:

1. Setting a password different from other company's services.
2. Do not use passwords that third parties can easily guess.

“We recognize that the protection of customer information is our top priority, and we sincerely accept the occurrence of this situation and maintain an environment where customers can shop more safely and securely, such as strengthening monitoring of unauthorized logins,” the company said.

While the number of Fast Retailing online customers is not public, "Internet sales made up 10% of domestic sales in the first half of the company’s current fiscal year," as Bloomberg initially reported.

How To Prevent Credential Stuffing

Since the beginning of 2019, there have already been a handful of successful credential stuffing attacks which managed to infiltrate the computing systems of TurboTax, Dunkin' Donuts, Basecamp, and Dailymotion, as reported by bleepingcomputer. It said that cyber criminals behind credential stuffing campaigns have designed them to be completely automated, making use of large collections of stolen credentials bought from undergrounds markets to be able to take over customer accounts.

According to Akamai Research, it recorded nearly 30 billion credential stuffing attacks in 2018. Some tips for businesses to avoid credential stuffing attacks include:

• Partner with a solid solutions provider to help detect and stop credential stuffing attacks.

• Ensure a defensive solution is tailored to the businesses, as criminals will adjust their attacks accordingly to evade out-of-the-box configurations.

• Users need to be educated about credential stuffing attacks, phishing and other risks that put their account information in jeopardy.

• Brands should stress the importance of unique passwords and password managers to customers and highlight the value of multi-factor authentication.

See Related: "Incident Of The Week" Articles