[BreachExchange] Bonobos clothing store suffers a data breach, hacker leaks 70GB database

Mon Jan 25 10:33:51 EST 2021

https://www.bleepingcomputer.com/news/security/bonobos-clothing-store-suffers-a-data-breach-hacker-leaks-70gb-database/

Bonobos men's clothing store has suffered a massive data breach
exposing millions of customers' personal information after a cloud
backup of their database was downloaded by a threat actor. Bonobos
states that the corporate systems were not breached during the attack.

Bonobos started as an online men's clothing store but later expanded
to sixty locations to try on clothes before purchasing them. Walmart
bought Bonobos in 2017 for $300 million to sells its clothing on their
Jet.com site.

Last weekend, a threat actor known as ShinyHunters, who is notorious
for hacking online services and selling stolen databases, posted the
full Bonobos database to a free hacker forum.

Forum post leaking the Bonobos database

Massive 70 GB database leaked

This leaked database is a monstrous 70 GB SQL file containing various
internal tables used by the Bonobos website. The database also
includes various data far more interesting to threat actors, such as
customers' addresses, phone numbers, partial credit card numbers (last
four digits), order information, password histories.

The amount of records varies depending on the category of the data.
For example, the address and phone numbers are for 7 million
customers/orders, account information for 1.8 million registered
customers, and 3.5 million partial credit card records.

Leaked user records table

The passwords stored in the database are hashed using SHA-256 or
SHA-512 according to threat actors who have started to analyze the
database. One threat actor claims to have already cracked the
passwords for 158,000 SHA-256 passwords but has been unable to crack
the SHA-512 passwords.

The hacker turned the cracked passwords into a 'combolist' used in
credential stuffing attacks, which is to log in using the stolen
credentials at other sites.

Backup database was stolen from the cloud

After BleepingComputer contacted Bonobos about the leaked database,
the clothing store told us that the threat actors did not gain access
to internal systems but rather to a backup file hosted in an external
cloud environment.

"Protecting our customers’ data is something we take very seriously.
We’re investigating this matter further and, so far, have found no
evidence of unauthorized parties gaining access to Bonobos’ internal
system. What we have discovered is an unauthorized third party was
able to view a backup file hosted in an external cloud environment. We
contacted the host provider to resolve this issue as soon as we became
aware of it."

"Also, we have taken additional precautionary steps, including turning
off access points, invalidating account passwords and requiring
password resets, to further secure customer accounts. We're emailing
customers to notify them that their contact information and encrypted
passwords may have been viewed by an unauthorized third party. Payment
information was not affected by this issue. We’ll continue to share
updates with customers as they become available," Bonobos told
BleepingComputer via email.

Though the database did not include full payment information in the
database, threat actors can use the partial data in targeted phishing
attacks.

Partial credit card information in the database

Update 1/24/21: Bonobos has begun to email data breach notifications
to affected customers, as shown below.

Bonobos data breach notification

What should Bonobos users do?

As this is a confirmed data breach, it is strongly recommended that
all Bonobos users immediately change their password on the site.

If the same password has been used at other sites, change your
password to a unique one there as well.

Using unique passwords at every site you have an account prevents a
data breach at one site from affecting you at other websites you use.

BleepingComputer recommends using a password manager to track strong
and unique passwords for the sites you have accounts.

Finally, all Bonobos customers should be on the lookout for emails
asking for credit card or login information, as it could be targeted
phishing scams resulting from this data breach.

Update 1/22/21: Our story originally mentioned that the database
contained virtual gift cards. Bonobos told us that this data is store
credit and cannot be redeemed as tender.
Update 1/24/21: Bonobos has begun to email data breach notifications
to affected users.