Over 72,000 US consumers may have had their account details compromised following a cyber-attack on denim clothing giant Levi Strauss & Co. Almost two weeks ago, on June 13, Levi’s spotted an unusual spike in activity on its consumer-facing website and immediately realized its users were under threat.
“Our investigation showed characteristics associated with a “credential stuffing” attack where bad actor(s) who have obtained compromised account credentials from another source (such as a third-party data breach) then use a bot attack to test these credentials against another website – in this case www.levis.com,” said Levi’s in a published notice detailing the data breach.
Levi’s warns: “Anyone that accessed your account would be able to view information contained there such as your order history, name, email, stored addresses, and, if you have saved a payment method, partial information that includes the last four digits of card number, card type and expiration date.”
However, Levi claims that the breach results from lax security elsewhere and is effectively sidestepping responsibility for the tens of thousands of customers who have been compromised by laying much of the blame squarely at the doors of its users.
“Bad actors have attempted to log into some accounts using email and password combinations obtained elsewhere. If you re-use your passwords across websites, it is possible they were able to log into your account,” said Levi’s.
It may well be the case that Levi’s website users’ details were purchased on the Darknet in bulk, which would be hard to validate where the original breach or breaches occurred. It is also true that many users still use the same password for multiple purposes.
“Users often assign the same email and password combination across multiple online accounts, allowing an unauthorized person to gain access more easily using stolen login credentials from another source,” said Levi’s.
Online retailers are too keen to amass customer details
However, while many users may be culpable of using the same password for multiple websites, this is as much the fault of the companies running the websites as their customers, as few ordinary consumers wish to commit new complex passwords to memory every time they make an online purchase or apply for a discount. Online retailers, however, are frequently anxious to make customers register personal details for their marketing purposes.
This breach highlights a problem that is not only peculiar to Levi’s but is a conundrum for online retailing as a whole. There is a growing groundswell of public opinion that companies must do more to protect the vast oceans of customer data they are so anxious to accumulate.
