PetSmart was forced to log people out of their accounts and reset their passwords due to an ongoing credential stuffing attack.
The American pet retail giant sent out a security notification to its users telling them that an unidentified threat actor tried to log into people’s accounts via credential stuffing - an automated attack in which the hacker tries infinite username/password combinations until they break into an account.
"We want to assure you that there is no indication that petsmart.com or any of our systems have been compromised," the breach notification said.
Using accounts for spam
With credential stuffing attacks, it’s virtually impossible to differentiate between regular traffic (i.e. actual user logging into their account) and malicious traffic, which is why PetSmart decided to simply push everyone out and force a password reset, just to be on the safe side.
"Instead, our security tools saw an increase in password guessing attacks on petsmart.com, and during this time your account was logged into. While the log in may have been valid, we wanted you to know,” they added. "In an abundance of caution to protect you and your account, we have inactivated your password petsmart.com. The next time you visit petsmart.com, simply click the "forgot password" link to reset your password."
Credential stuffing attacks often work for two reasons: first, people frequently use weak and easy-to-guess passwords, which automated tools can easily crack; and second, some services grant their users unlimited attempts at logging in, which is ideal for hackers with automation tools. Having access to different accounts might sound pointless, but hackers have ways of making use of them. For example, they can use the accounts to spread spam, or malware, to other users who would not expect an attack from a familiar face.
PetSmart is considered one of the biggest retailers for pet products in the US, with more than 60 million customers.
Via BleepingComputer
More from TechRadar Pro
- This new Linux malware floods machines with cryptominers and DDoS bots
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now