Cyber Incident Victim: Bonobos
Date:
Jan 2021
Location:
United States of America
Summary
A men's clothing retailer experienced a data breach when threat actors accessed and leaked a 70GB cloud backup database containing customer information, including 7 million shipping addresses, 1.8 million account details, and 3.5 million partial credit card records. The compromised data also included password histories stored with SHA-256 and SHA-512 hashing, with attackers reportedly cracking 158,000 weaker SHA-256 passwords for credential stuffing attacks. While the company confirmed no internal system compromise and stated payment information remained unaffected, it invalidated account credentials, reset passwords, and notified customers about potential exposure of contact details and encrypted passwords. The incident stemmed from unauthorized access to an external cloud-hosted backup file rather than direct corporate network infiltration.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around January 22, 2021, Bonobos, a men’s clothing retailer acquired by Walmart in 2017, confirmed a data breach resulting from unauthorized access to a cloud-hosted backup database. The incident came to light after the threat actor known as ShinyHunters publicly leaked a 70GB SQL database file on a hacker forum the preceding weekend. This database contained extensive customer and operational records, including 7 million shipping addresses, 1.8 million registered customer account details, and 3.5 million partial credit card records showing only the last four digits. The compromised account information included encrypted passwords stored using SHA-256 and SHA-512 hashing algorithms, though analysis by threat actors revealed 158,000 SHA-256 passwords had been cracked and converted into credential-stuffing tools. Order histories, contact information, and password histories were also exposed. Bonobos clarified that internal corporate systems remained uncompromised, attributing the breach solely to unauthorized access of an external cloud backup file.
Bonobos initiated containment measures upon discovering the breach, including disabling relevant access points, invalidating all customer account passwords, and enforcing mandatory password resets. The company engaged its cloud hosting provider to resolve the vulnerability and commenced email notifications to affected customers starting January 24, 2021. These communications confirmed the exposure of contact details and encrypted passwords but emphasized that full payment data remained unaffected. The breach’s primary operational impact stemmed from the partial credit card information and personal identifiers, which security analysts warned could facilitate targeted phishing campaigns. No evidence suggested misuse of the data prior to the leak, though the publication of the database on open forums significantly elevated risks of secondary attacks. Bonobos maintained ongoing investigation efforts and committed to providing further updates as their review progressed.