In a 2024 cybersecurity event that has occurred in the retail industry, The Iconic, one of Australia’s leading online fashion, unfortunately fell victim to a sophisticated credential stuffing attack. This incident not only compromised the security and privacy of its customers but also raised serious questions about the cybersecurity measures in place within retail organisations. Credential stuffing represents a significant threat, where consumer data is as valuable as currency, as we know.

Summary

An unauthorised third party gained access to some Iconic customer accounts using login credentials obtained from other compromised websites. The unauthorised access may have resulted in changes to personal details and unauthorised charges. The Iconic has initiated an investigation and is working with cybersecurity partners to assess the impact. Affected customers were contacted and provided with recommendations and support. An unauthorised third party accessed The Iconic customer accounts using login credentials obtained from data breaches on other compromised websites. The unauthorised party used a technique called ‘credential stuffing’ which is to obtain login credentials from compromised websites and gain unauthorised access to The Iconic customer accounts. Customers may have noticed unauthorised access through order confirmation emails, changes to personal details, inability to log in, or unauthorised charges to their payment method. The Iconic had then activated incident response processes, initiated an investigation, and is working with cybersecurity partners. Affected Iconic customers were contacted and provided with recommendations and support.

Root Cause Analysis

The breach was primarily due to credential stuffing attacks. Attackers utilised credentials obtained from breaches on other platforms, exploiting the common user practice of reusing passwords across multiple sites. The absence of multi-factor authentication (MFA) on The Iconic’s platform made it easier for attackers to gain unauthorised access.

Impact Assessment

• Customers: Affected individuals experienced unauthorised transactions, leading to financial losses and the inconvenience of securing refunds.​
• The Iconic: The company faced reputational damage, financial implications due to refunds, and increased scrutiny over its security practices.

Understanding Credential Stuffing

Credential stuffing is a type of cyber attack where attackers use lists of compromised user credentials (username-password pairs) obtained from previous data breaches to gain unauthorised access to user accounts on other platforms. This method exploits the common practice among internet users of reusing passwords across multiple services. Automated software allows attackers to perform these login attempts at scale, testing millions of credential combinations on numerous websites until they find matches.

For businesses like The Iconic, which handle vast amounts of personal and financial data, the risk posed by such attacks cannot be overstated. Successful credential stuffing attacks can lead to unauthorised transactions, data theft, and significant reputational damage.

Implications for Businesses and Consumers

The breach experienced by The Iconic serves as a stark reminder of the vulnerabilities present in digital platforms today. For businesses, especially those in the retail sector that process high volumes of online transactions, it underscores the critical need for robust cybersecurity measures that go beyond traditional perimeter defences.

Consumers are equally affected by these incidents. In addition to potential financial losses from unauthorised transactions made on their accounts, there’s also the risk of sensitive personal information being exposed or sold on dark web marketplaces. Such outcomes can have long-lasting effects on individuals’ privacy and financial well-being.

Timeline of Events

• January 2024: Customers began reporting unauthorised orders placed through their accounts on The Iconic ​
• January 9, 2024: The Iconic acknowledged the increase in fraudulent account login attempts and announced plans to refund affected customers​
• January 11, 2024: Further reports indicated that The Iconic’s payment system vulnerabilities left customers susceptible to fraud

Response Measures

• Immediate Actions:
  The Iconic committed to refunding customers who were charged for fraudulent orders. ​
  The company enhanced monitoring for suspicious account activities and worked with security partners to address the issue. ​
• Long-Term Strategies:
  While specific measures were not publicly detailed, it is recommended that The Iconic implement MFA, encourage stronger password policies, and conduct regular security assessments to prevent future incidents.

I reached out to The Iconic as I was curious about their response to the situation and they were receptive to my ask:

“Last year, we saw an increase in fraudulent account login attempts on THE ICONIC, which resulted in some fraudulent orders made and received by unauthorised third-party actors, and not a result of a data breach at THE ICONIC. When we were made aware of the incident, we took proactive measures to cancel unauthorised orders prior to shipping and providing full refunds to affected customers. Our Security and Fraud teams worked quickly to actively manage and minimise the impact of the incident as a critical priority, in conjunction with our expert security partners. We worked closely with law enforcement authorities including the Police in various States and Territories, the Australian Cyber Security Centre, the Office of the Australian Information Commissioner and the Office of the Privacy Commissioner in New Zealand at the time of the incident. We also

THE ICONIC has always prioritised a high-level of security to protect our customer’s personal information. We had a number of robust security and fraud measures in place at the time of the incident and we continue to heavily invest in expertise to help detect fraud and scams, including further enhancing our security measures to help identify and prevent unauthorised third-party activity. We also remain committed to cyber preparedness, including continually refining our internal processes and increasing the frequency of our cyber simulations to ensure swift containment of future incidents.

Our advice to fellow retailers echoes our own learnings: prioritise robust security measures, invest in regular simulations, review and update internal processes, foster collaboration, and maintain a culture of continuous improvement.” – THE ICONIC

Strategies for Mitigation

Mitigating the risk of credential stuffing requires a multi-pronged approach that involves both technical solutions and human behaviour modifications. None of the below are silver bullets and in theory seem easy – but in reality are harder than people may think.

• Implementation of Advanced Security Measures: Organisations must adopt security solutions at a minimum, two-factor authentication (2FA), which adds an extra layer of security by requiring users to provide two different authentication factors to verify themselves. Deploying advanced threat detection systems that use artificial intelligence (AI) can help identify unusual login patterns indicative of automated attacks.

Satnam Narang, Senior Staff Research Engineer at Tenable commented,

“Furthermore, companies can proactively detect compromised passwords by cross-referencing them with breached password datasets. This entails monitoring and scrutinising leaked passwords from past breaches to identify any matches with their user accounts. Timely identification and mitigation of compromised passwords enable organisations to thwart credential-stuffing endeavours before they evolve into security breaches.”

• Promotion of Good Cyber Hygiene Among Users: Educating users about the importance of unique passwords for different services can significantly reduce the success rate of credential stuffing attacks. Password managers can assist in generating and storing complex passwords securely.
• Regular Security Audits: Regularly conducting security audits and vulnerability assessments can help organisations identify potential weaknesses in their systems before they can be exploited by attackers.
• Incident Response Planning: Having a well-defined incident response plan enables organisations to react swiftly and effectively should a breach occur, minimising damage and restoring operations more rapidly.

Narang went on to say,

“Organisations must take a central role in bolstering their security stance by safeguarding users against credential-stuffing attacks. An effective approach involves the adoption of multi-factor authentication (MFA). By necessitating additional verification measures before granting access, MFA serves as a defence mechanism, even in scenarios involving stolen credentials.”

Lessons Learned

The credential stuffing attack against The Iconic serves as a example of how retailers are not immune to cyber threats. The retailer responded to their customers quickly and is working on ways to improve their security which will continue to keep their customers transacting on their platform.