Security Market Segment LS
Thursday, 16 May 2019 10:07

UNIQLO customer data stolen through credential stuffing attack

UNIQLO customer data stolen through credential stuffing attack Pixabay

Japanese public retail holding firm Fast Retailing has revealed that its UNIQLO Japan and GU Japan online stores have been breached and a total of 461,091 customer accounts accessed through a credential stuffing attack between 23 April and 10 May.

In a statement, Fast Retailing said the following information was likely to have been accessed:

  • Customer name (last name and first name)
  • Customer address (postal code, address, and apartment number)
  • Customer phone number, mobile phone number, email address, gender, date of birth, purchase history, and clothing measurements
  • Receiver name (last name and first name), address, and phone number
  • Customer partial credit card information (cardholder name, expiration date, and portion of credit card number). The credit card numbers potentially accessed are hidden, other than the first four and last four digits. In addition, the CVV number (credit card security code) is not displayed or stored.

The company added: "Currently, Fast Retailing has identified the origin of the communication from which the unauthorised logins were attempted and has blocked access, and is strengthening monitoring of other access points.

"On 13 May, the company disabled the passwords for the 461,091 user IDs that had been potentially accessed, and is sending individual emails to each person affected, requesting that they reset their password."

Commenting on the breach, Kevin Gosschalk, chief executive of fraud and abuse prevention company Arkose Labs, said: the breach shone a light on the seriousness of hackers carrying out automated attacks at scale.

"After nearly half a million accounts have been compromised, UNIQLO is urging users to not only reset their passwords, but to create a unique password for their accounts to reduce the chances of being hacked.

"Although that is a good immediate first step, companies can’t guarantee users will comply and they could still be at risk. Companies need to actively monitor and protect their attack surface. Cyber criminals are constantly discovering new ways to take over accounts, and companies should provide proactive and preventative defences that stop these attacks without burdening the end-user.”

Chris Kennedy, chief information and security officer and vice-president of customer success at security firm AttackIQ, said: “UNIQLO discovered the breach after customers reported strange account activity and after the company blocked the attackers from accessing the company’s computing systems.

"However, it is alarming that this malicious third party was able to obtain unauthorised access via credential stuffing and elevate its access to move laterally through the company’s network to pilfer the data of approximately 460,000 users before being discovered.

"This leaves the questions of whether UNIQLO had controls in place to prevent this data from being stolen, if the company has ever tested those controls, or if Uniqlo was exclusively relying on users with user access to not engage in malicious activity."

Kennedy said the attackers' success demonstrated that UNIQLO had weak internal monitoring and possibly poor architecture that made customer data far too easy to access.

He added that the company was likely to have had "a lack of a separation of user roles and no data loss prevention solution in place that prevented the disclosure or theft of sensitive data, and clearly no control validation program".

"The insecure software development and insufficient use of security best practices from UNIQLO has created significant shared risk for itself and its customers alike. Only through comprehensive validation of its cyber readiness can an organisation ensure that its applications and systems can withstand a cyber attack. Enterprises must be held accountable for securing its users’ data and for validating its cyber readiness before an adversary does.”


As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments