Bed Bath & Beyond Discloses Customer Login Credentials Breach
In a report for the Securities and Exchange Commission (SEC) on Tuesday, Bed Bath & Beyond retailer disclosed that an unauthorized party obtained login information for some of its customers.
Details about the breach are scarce but the company says that it affected a small number of online accounts.
According to the SEC filing, email and password information was accessed from a source outside the company’s systems.
The amount of login information compromised as a result of this incident is limited, as the unnamed source could access less than 1% of Bed Bath & Beyond’s online customer accounts.
The company notes that payment card data was not affected by this incident, which is described as limited in nature.
On October 29, affected customers started to receive notifications about the breach, as imposed by legal requirements.
It is unclear when the incident happened, but once was discovered, the retailer contracted the services of “a leading security forensics firm and has implemented remedial measures.”
Although this security event is not expected to have a negative impact on operations and financial condition, Bed Bath & Beyond stock fell by 0.2% in after-hours trading, MarketWatch reports.
Javvad Malik, Security Awareness Advocate at KnowBe4 told BleepingComputer that the source with access to the login data may have been compromised because an employee recycled their corporate credentials.
Cybercriminals obtaining breach data often test it with various online services specifically because they know that many users re-use their login information.
If an individual uses their company email to register to a service that gets breached, it is very likely that cybercriminals will try to use the associated password to log into the corporate account.
This is not the only security incident Bed Bath & Beyond had to deal with this year. At the beginning of May, the retailer notified its customers that a call center employee processing orders “may have attempted to illegally compromise customer credit card information.”
Read the original article over at BleepingComputer.com.