HauteLook

We've been tracking a concerning trend of credential stuffing attacks targeting e-commerce platforms, often fueled by readily available dumps of user data. This week, a 2018 breach of HauteLook, a flash-sale fashion website owned by Nordstrom, resurfaced on several dark web forums. What really struck us wasn't the age of the breach, but the sheer volume of records and the continued viability of the exposed credentials. It serves as a stark reminder that even older breaches can present a significant risk when the data remains in circulation and password reuse is rampant.

HauteLook's 21 Million Record Breach: Still a Threat

The HauteLook breach, originally occurring on August 7, 2018, involved the exposure of 21,227,367 user records. The database dump includes a range of personal information, including email addresses, birthdates, first names, last names, gender, and password hashes. While the breach itself is not new, the data's reappearance in underground marketplaces highlights the persistent threat it poses to individuals and organizations alike. This isn't just about one website; it's about the ripple effect of compromised credentials across the web.

The breach initially caught our attention due to chatter on several Telegram channels known for trading leaked databases. Members were actively sharing and discussing the HauteLook data, indicating its continued relevance for malicious actors. What made this stand out was the fact that the breach was several years old, yet the data was still being actively traded and utilized. This suggests that many users may not have updated their passwords since the breach, leaving them vulnerable to credential stuffing attacks on other platforms.

This matters to enterprises now because it underscores the importance of proactive credential monitoring and password reset policies. Companies should be actively scanning for employee credentials in leaked databases and encouraging users to adopt unique, strong passwords for each online account. The HauteLook breach serves as a case study of how seemingly old data can still be weaponized to gain unauthorized access to sensitive systems and data.

Key point: Total records exposed: 21,227,367

Key point: Types of data included: Email Address, Birthdate, First Name, Last Name, Gender, Password Hash

Key point: Sensitive content types: PII

Key point: Source structure: Database

Key point: Leak location(s): Telegram channels, Breach Forums

Key point: Date of first appearance: August 7, 2018 (breach date), recent reappearance on Telegram

External Context & Supporting Evidence

While initial reporting on the breach was limited, security researcher Troy Hunt added the HauteLook breach to Have I Been Pwned?, a well-known data breach notification service. This allowed individuals to check if their email address was part of the breach. The fact that this breach is included in such a reputable source underscores its legitimacy and potential impact.

The re-emergence of the HauteLook data aligns with a broader trend of increased credential stuffing attacks. A recent report by Akamai highlighted a significant increase in credential stuffing attacks targeting the retail and e-commerce sectors. This suggests that threat actors are actively leveraging leaked credentials to compromise user accounts and gain access to valuable data. One Telegram post claimed the files were being used in automated credential stuffing tools targeting other e-commerce sites.

Email · Address · Birthdate · First · Name · Last · Gender · Password · Hash