In a recent cybersecurity incident, Petsmart, the largest retailer of animal goods in the United States with over 1,600 stores serving 60 million customers, fell victim to targeted cyber attacks. On March 6, Petsmart’s security team began notifying their clients that their accounts were under attack in an attempt to gain access to personal data, with the attackers utilizing Credential Stuffing.
As a precautionary measure, Petsmart reset the passwords of all accounts involved in the attacks, as it was unclear whether the account owners or attackers were accessing them. Petsmart reassured customers that there were no signs of compromise on their website or systems. Customers were provided with instructions on how to regain access to their accounts through the “FOR THE POTITION FURGE” link on the company’s official website.
Credential Stuffing attacks involve using login credentials obtained from data breaches to gain unauthorized access to accounts on other platforms. Once breached, attackers can engage in fraudulent activities like making purchases, sending spam, or launching further cyber attacks.
Notably, other large companies such as PayPal, Spotify, Xfinity, and Draftkings have also faced similar attacks in the past. In a high-profile case in May 2023, an 18-year-old hacker was charged with hacking into Draftkings, a sports betting platform, and selling the account data of 60,000 users on the darknet. The hacker caused $600,000 in damages to Draftkings and was subsequently sentenced to one and a half years in prison, three years on probation, and a substantial fine.