The housewares giant disclosed a breach with few details – but security researchers have some theories.
Housewares and home furnishings purveyor Bed, Bath and Beyond has disclosed a data-thieving cyber attack that allowed the adversaries to access customers’ online accounts.
According to a Tuesday SEC filing, the company “discovered that a third party acquired email and password information from a source outside of the company’s systems which was used to access … customers’ online accounts.”
The retailer sent out notifications on Tuesday to affected shoppers, who collectively represent less than 1 percent of the company’s online customer accounts, it said. The company, which receives about 4 million website visitors per month, didn’t put a solid number around the number of those impacted.
Other details are scant, but Colin Bastable, CEO of security training and awareness company Lucy Security, said that he believed the short statement indicates a supply-chain attack vector, rather than someone managing to find a set of internal administrative credentials for the company.
“Our Lucy analysts say that a quick look on the Dark Web shows only one recent potential exposure of a Bed Bath & Beyond employee’s credentials, first spotted back in June — a person in HR with a supposed credential associated with a purported company email address,” he said in an email. “The most likely point of entry is through a third-party supplier of services to the company, and the odds are over 90 percent in favor of the attack being initiated by a phishing email, perhaps a spoof email, one that appears to be from someone else.”
Javvad Malik, security awareness advocate at KnowBe4, had a different theory.
“It’s currently unclear as to exactly how the attack against Bed Bath & Beyond was perpetrated. But going on the limited information, it could be that an employee had reused their corporate credentials which were subsequently compromised,” he said.
While Bed Bath and Beyond, which also owns the brands Christmas Tree Shops, Cost Plus World Market, and buybuy Baby, among other businesses, did say that payment cards weren’t impacted, the filing is unclear as to what other information was obtained; if attackers were able to access online accounts, that could in theory include order histories and the like.
“Attackers do not discriminate against the size or type of company, customer data is valuable all the same regardless of the source,” Malik said. “This data is not just restricted to financial data — but personal data is also equally valuable to criminals, and in some cases, even more so.”
Barnstable said that even if only emails were in the cache of accessed data, the risk of follow-on attacks is real.
“The bad guys don’t need a password to phish you, just a valid email,” he explained. “How do they know that the next marketing email is really from Bed Bath and Beyond? Phishing attacks can keep coming over the next several years. The message to all consumers is – you may trust your favorite online store’s security, but you don’t know who they allow to have access to your data. Don’t recycle passwords with online shopping sites.”
According to a report on stolen credentials and Fortune 500 companies from ImmuniWeb released this week (Bed, Bath and Beyond is No. 258 on the Fortune list), millions of stolen corporate credentials available in the Dark Web are exploited by cybercriminals for spearphishing and password re-use attacks.
ImmuniWeb’s analysis of the quality and quantity of stolen credentials accessible on the Dark Web found there to be over 21 million (21,040,296) credentials belonging to Fortune 500 companies, amid which over 16 million (16,055,871) were compromised during the last 12 months. As many as 95 percent of the credentials contained unencrypted, or bruteforced and cracked by the attackers, plaintext passwords.
The most common sources of the exposures and breaches were third parties (e.g. websites or other resources of unrelated organizations); trusted third parties (partners, suppliers or vendors); and the the companies themselves (e.g. their own websites or in-house other resources).
Both the amount of reported data breaches and the number of records exposed therein spiked by over 50 percent during the Q1 2019 compared to the previous year, according to earlier research from Risk Based Security — resulting in 4,000 breaches exposing over 4 billion compromised records.