Cyber Incident Victim: UNIQLO Japan
Date:
Apr 2019
Location:
Japan
Summary
A credential stuffing attack compromised over 460,000 customer accounts on UNIQLO Japan's online store over a multi-week period, exposing personal and financial details including names, addresses, contact information, purchase histories, and partial credit card data. The parent company disabled affected account credentials, initiated password resets, and notified impacted customers while attributing the breach to automated attacks leveraging stolen credentials from third-party sources. The incident highlighted widespread credential reuse vulnerabilities and insufficient two-factor authentication adoption in retail sectors targeted by such attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The UNIQLO Japan data breach occurred between April 23 and May 10, 2019, when unauthorized parties accessed customer accounts through a credential stuffing attack targeting the online stores of UNIQLO Japan and GU Japan, both operated by Fast Retailing. Attackers exploited stolen credentials obtained from underground markets to automate login attempts, successfully compromising 461,091 accounts. The breach was detected during an ongoing investigation, though the exact discovery date was not specified. Exfiltrated data included customers' full names, physical addresses, telephone numbers, email addresses, purchase histories, and partial credit card information. Fast Retailing confirmed the intrusion affected only its Japanese e-commerce platforms, with no mention of international subsidiaries or physical store systems being compromised. The company emphasized that the attack leveraged reused passwords across multiple services, as credential stuffing relies on victims repeating credentials across platforms.
In response, Fast Retailing immediately disabled passwords for all impacted accounts and initiated forced password resets, sending instructions to affected users via email. The company directly notified breached customers through multiple channels, establishing a dedicated support line (0800-000-1022) and email address for incident-related inquiries. No evidence suggested misuse of financial data, though customers were advised to monitor accounts and change reused passwords elsewhere. The breach exposed vulnerabilities in authentication practices, particularly the absence of two-factor authentication noted in the broader context of retail cyberattacks. Akamai's 2018 report documenting 28 billion credential stuffing attempts underscored the prevalence of such attacks against retail sectors. Fast Retailing disclosed that online sales constituted 10% of domestic revenue during the first half of its fiscal year, highlighting the operational significance of its e-commerce platforms. The incident remained under investigation as of the May 14, 2019, disclosure, with no additional attack vectors or post-breach malicious activities reported.