14 DAY TRIAL // Neiman Marcus has sent out letters to some of its customers, informing them of an incident where an unauthorized party managed to guess their passwords, logged into their account, and even attempted to initiate fraudulent transactions.
The Neiman Marcus Group (NMG) is a US-based international luxury retailer that owns and sells products under brands such as Alexander McQueen, Carolina Herrera, Dolce & Gabbana, Donna Karan, Givenchy, Jimmy Choo, Valentino, and many more.
Hackers tried to guess their way into customer accounts
According to a letter sent out to some of its customers on January 29, 2016, the retailer is saying that, starting December 26, 2015, the company's system administrators saw a cyber-attack against a series of websites through which NMG is selling its products online.
The attacks weren't destructive in nature but were a series of automated login attempts that were trying to guess valid username & password combos.
NMG says that 99% of these attacks were repelled, and from the 1% that managed to squeeze through, the hackers managed to accurately guess over 5,200 username & password combinations and gain access to user profiles on websites such as Neiman Marcus, Bergdorf Goodman, Horchow, Last Call, and CUSP.
On 70 of these accounts, Neiman Marcus says that the hackers initiated fraudulent transactions, but the company's IT staff was quick to detect the intrusions and refunded all customers.
Password reuse may be to blame
During the time the hackers accessed the 5,200 accounts, the intruders had access to the customers' real names, email address, shipping addresses, phone numbers, purchase history, and the last digits of the customers' registered credit cards.
Lindy Rawlinson, Neiman Marcus Senior Vice President of eCommerce, says that the company's never experienced a data breach through which details about username and passwords could have been stolen or leaked.
NMG security staff thinks the attackers used username and password combinations acquired from other data breaches and tried to see which of those were also valid on the company's websites, knowing very well that users often reuse both usernames and their passwords across sites.
UPDATE: Article was updated to correct the following statement "On 70 of these accounts." The correct value was 70.