U.S. pet store company PetSmart Inc. is warning customers that an unidentified threat actor is trying to log into user accounts via a credential-stuffing attack.

First reported by Dark Web Performer on X, formerly Twitter, an email sent to affected customers states that PetSmart’s internal security tools had seen an increase in “password guessing attacks” on petsmart.com — referring to credential-stuffing attacks — and that during this time, the customer’s account had been logged into.

The email explained that out of an abundance of caution to protect user accounts, PetSmart has inactivated affected passwords on petsmart.com and that the next time the user logs in, they will need to click on the “forgot password” link to reset their password.

“Across the internet, fraudsters are constantly trying to obtain user names and passwords and they often try and test the credentials they find on various websites, like ours,” PetSmart wrote. “To help keep your accounts secure, remember to use strong passwords, change your passwords at least a few times a year and use different passwords for each of your important accounts.”

The email also noted that there was no indication that petsmart.com or any of the company’s systems had been compromised.

A credential-stuffing attack involves hackers using previously stolen user information from other sites to access other accounts held by those who have had their account details stolen. The attack method relies on people reusing passwords on different sites, a dangerous thing to do in the age of perpetual data breaches but one that is all too common.

Ted Miracco, chief executive of mobile app protection company Approov, told SiliconANGLE that PetSmart’s reliance on password resets alone is necessary, but entirely insufficient in addressing the complexities of modern cyberthreats such as credential-stuffing.

Miracco noted that securing application programming interfaces requires more than just credentials and multi-factor authentication, “it demands a comprehensive security strategy that encompasses multiple layers of protection.”

“The adoption of advanced security measures like token-based systems is often perceived as the domain of banks, cryptocurrency platforms and other high-security sectors,” he added. “However, the reality is that any business handling personal information – be it an e-commerce platform, a healthcare provider or, indeed, a pet retailer – must prioritize these enhanced security measures.“

Photo: Mike Mozart/Flickr