J.Crew Group Inc. is the latest victim of a data breach, as customer data was stolen around April 2019.

The disclosure of the hack came via the company filing a notice late last month with the California Attorney General’s Office. The hack is said to have been “recently” discovered “through routine and proactive web scanning.”

Data potentially stolen included some credit card information for cards stored in customer accounts, including the cards’ last four digits, expiration dates, card types and the billing addresses connected to the cards.

A spokesperson for the company told TechCrunch that the hack involved credential stuffing, a method whereby already breached usernames and passwords from other sites are used to access accounts on other sites. J.Crew did not disclose the number of customers affected, only saying that a “small number” of customers were affected in the data breach.

“For users, there is nothing good about the credential stuffing attack at J. Crew but there are some useful lessons to be learned,” Jonathan Knudsen, senior security strategist at electronic design automation and software security firm Synopsys Inc., told SiliconANGLE.

“First, credential stuffing is an attack where previously leaked lists of user names and passwords are used to gain unauthorized access to systems,” Knudsen explained. “Knowing this, the best course of action is to practice good password hygiene. Don’t re-use the same password across multiple sites, and make sure you are using strong password that cannot be easily guessed. If your J.Crew password is also in use elsewhere, be certain you update your passwords to avoid future issues with this or other accounts.

The second lesson, he added, is that J.Crew did not make a public announcement about the attack until nearly a year later. “What other attacks, involving your personal information, might have already occurred without your knowledge?” he said. “For especially valuable accounts, consider upping the bar with two-factor authentication.”

Paul Bischoff, privacy advocate at research firm Comparitech Ltd., noted that if businesses don’t start forcing users to set up two-factor authentication for logins, then they’ll have little defense against credential stuffing attacks such as this.

Photo: Raysonho/Wikimedia Commons