UPDATED 18:53 EDT / MARCH 07 2024

SECURITY

PetSmart alerts customers to credential-stuffing attacks targeting user accounts

U.S. pet store company PetSmart Inc. is warning customers that an unidentified threat actor is trying to log into user accounts via a credential-stuffing attack.

First reported by Dark Web Performer on X, formerly Twitter, an email sent to affected customers states that PetSmart’s internal security tools had seen an increase in “password guessing attacks” on petsmart.com — referring to credential-stuffing attacks — and that during this time, the customer’s account had been logged into.

The email explained that out of an abundance of caution to protect user accounts, PetSmart has inactivated affected passwords on petsmart.com and that the next time the user logs in, they will need to click on the “forgot password” link to reset their password.

“Across the internet, fraudsters are constantly trying to obtain user names and passwords and they often try and test the credentials they find on various websites, like ours,” PetSmart wrote. “To help keep your accounts secure, remember to use strong passwords, change your passwords at least a few times a year and use different passwords for each of your important accounts.”

The email also noted that there was no indication that petsmart.com or any of the company’s systems had been compromised.

A credential-stuffing attack involves hackers using previously stolen user information from other sites to access other accounts held by those who have had their account details stolen. The attack method relies on people reusing passwords on different sites, a dangerous thing to do in the age of perpetual data breaches but one that is all too common.

Ted Miracco, chief executive of mobile app protection company Approov, told SiliconANGLE that PetSmart’s reliance on password resets alone is necessary, but entirely insufficient in addressing the complexities of modern cyberthreats such as credential-stuffing.

Miracco noted that securing application programming interfaces requires more than just credentials and multi-factor authentication, “it demands a comprehensive security strategy that encompasses multiple layers of protection.”

“The adoption of advanced security measures like token-based systems is often perceived as the domain of banks, cryptocurrency platforms and other high-security sectors,” he added. “However, the reality is that any business handling personal information – be it an e-commerce platform, a healthcare provider or, indeed, a pet retailer – must prioritize these enhanced security measures.“

Photo: Mike Mozart/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.