Bonobos

Bonobos men’s clothing store has suffered a massive data breach exposing millions of customers’ personal information after a cloud backup of their database was downloaded by a threat actor. Bonobos states that the corporate systems were not breached during the attack.

Bonobos started as an online men’s clothing store but later expanded to sixty locations to try on clothes before purchasing them. Walmart bought Bonobos in 2017 for $300 million to sells its clothing on their Jet.com site.

Last weekend, a threat actor known as ShinyHunters, who is notorious for hacking online services and selling stolen databases, posted the full Bonobos database to a free hacker forum.

Forum post leaking the Bonobos database
Forum post leaking the Bonobos database

Massive 70 GB database leaked

This leaked database is a monstrous 70 GB SQL file containing various internal tables used by the Bonobos website. The database also includes various data far more interesting to threat actors, such as customers’ addresses, phone numbers, partial credit card numbers (last four digits), order information, password histories.

The amount of records varies depending on the category of the data. For example, the address and phone numbers are for 7 million customers/orders, account information for 1.8 million registered customers, and 3.5 million partial credit card records.

User records table
Leaked user records table

The passwords stored in the database are hashed using SHA-256 or SHA-512 according to threat actors who have started to analyze the database. One threat actor claims to have already cracked the passwords for 158,000 SHA-256 passwords but has been unable to crack the SHA-512 passwords.

The hacker turned the cracked passwords into a ‘combolist’ used in credential stuffing attacks, which is to log in using the stolen credentials at other sites.

Backup database was stolen from the cloud

After BleepingComputer contacted Bonobos about the leaked database, the clothing store told us that the threat actors did not gain access to internal systems but rather to a backup file hosted in an external cloud environment.

“Protecting our customers’ data is something we take very seriously. We’re investigating this matter further and, so far, have found no evidence of unauthorized parties gaining access to Bonobos’ internal system. What we have discovered is an unauthorized third party was able to view a backup file hosted in an external cloud environment. We contacted the host provider to resolve this issue as soon as we became aware of it.”

“Also, we have taken additional precautionary steps, including turning off access points, invalidating account passwords and requiring password resets, to further secure customer accounts. We’re emailing customers to notify them that their contact information and encrypted passwords may have been viewed by an unauthorized third party. Payment information was not affected by this issue. We’ll continue to share updates with customers as they become available,” Bonobos told BleepingComputer via email.

Though the database did not include full payment information in the database, threat actors can use the partial data in targeted phishing attacks.

Partial credit card information in the database
Partial credit card information in the database

What should Bonobos users do?

As this is a confirmed data breach, it is strongly recommended that all Bonobos users immediately change their password on the site.

If the same password has been used at other sites, change your password to a unique one there as well.

Using unique passwords at every site you have an account prevents a data breach at one site from affecting you at other websites you use.

BleepingComputer recommends using a password manager to track strong and unique passwords for the sites you have accounts.

Finally, all Bonobos customers should be on the lookout for emails asking for credit card or login information, as it could be targeted phishing scams resulting from this data breach.

Update 1/22/21: Our story originally mentioned that the database contained virtual gift cards. Bonobos told us that this data is store credit and cannot be redeemed as tender.