A massive data breach at American retailer Hot Topic has compromised the personal information of 57 million customers. The incident, which took place in October, exposed a wide range of sensitive data, including physical addresses, email contacts, and partial payment information.
The Scope of the Exposure
According to data breach notification service Have I Been Pwned (HIBP), the stolen dataset contains extensive user details. Beyond basic contact information, the breach includes purchase histories, genders, and dates of birth. Furthermore, partial credit card data—specifically the card type, expiration dates, and the last four digits—was also compromised.
Attribution and Hacker Demands
The breach allegedly occurred on October 19. A threat actor using the alias “Satanic” claimed responsibility just two days later on the cybercrime forum BreachForums. The attacker initially boasted of stealing 350 million records from Hot Topic and its affiliated brands, Box Lunch and Torrid.
Cybersecurity firm Hudson Rock reported that the hacker attempted to extort $100,000 from the retailer while simultaneously trying to sell the database for $20,000. Following these failed attempts, the price for the stolen database on the dark web has reportedly dropped to $3,500.
Security Failure and Corporate Silence
While the exact mechanism of the security failure remains under investigation, analysts suggest the breach may have originated from infostealer malware. Reports indicate the threat actor potentially harvested credentials for an analytics platform used by Hot Topic, granting them unauthorized access to the retailer’s cloud environments.
Despite the severity of the incident, Hot Topic—which operates over 640 stores across the United States—has yet to issue a formal confirmation or respond to multiple inquiries. Furthermore, there is currently no evidence that the company has notified customers or state attorneys general regarding the exposure of their personal data.