PetSmart warns of credential stuffing attacks trying to hack accounts

Puppies looking at a laptop

Pet retail giant PetSmart is warning some customers their passwords were reset due to an ongoing credential stuffing attack attempting to breach accounts.

PetSmart is the largest retailer in the US, focusing on pets and associated products, with over 60 million customers and 1,600 stores nationwide.

In new email notifications sent to PetSmart customers first seen by DarkWebInformer, the company warns that customers are being targeted by credential stuffing attacks used to gain access to their accounts.

PetSmart reset passwords for any accounts logged in during the credential stuffing attacks to be safe as they could not determine if the logged in user was the account owner or the hackers.

“We want to assure you that there is no indication that or any of our systems have been compromised,” reads the PetSmart email alert.

“Instead, our security tools saw an increase in password guessing attacks on, and during this time your account was logged into. While the log in may have been valid, we wanted you to know.”

“In an abundance of caution to protect you and your account, we have inactivated your password The next time you visit, simply click the “forgot password” link to reset your password.”

PetSmart email about credential stuffing attack
PetSmart email about credential stuffing attack
Source: DarkWebInformer

A credential stuffing attack is when threat actors collect login credentials exposed in data breaches and then use those credentials to try to log into other sites.

Once a threat successfully breaches an account, they are used for malicious behavior, including making fraudulent purchases, sending spam, or launching other attacks.

More commonly, the threat actors sell the breached accounts to others, who use them to make purchases, cash in rewards points, or steal money.

Other companies hit in the past with credential stuffing attacks include PayPalSpotifyXfinity, and Chick-fil-A, and with more damaging losses, FanDuel and DraftKings.

In May 2023, an 18-year-old was charged with hacking 60,000 DraftKings betting accounts and selling them on a stolen account marketplace called the Goat Shop.

While DraftKings initially stated only $300,000 was stolen via the attacks, the Department of Justice later revealed that $600,000 was stolen from 1,600 compromised accounts.

This content is being syndicated from Source link for documentation purpose. If you are the owner of the content and like it removed, kindly contact me here and I will remove the content.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top