Dive Brief:
-
Warby Parker in recent months has been targeted by credential stuffing attacks — incidents in which stolen customer usernames and passwords were used in attempts to access customer accounts, according to a press release sent to Retail Dive.
-
The eyeglasses retailer said that about 198,000 of its customer accounts were targeted between late September and late November, when evidence of the attacks was discovered and Warby Parker alerted law enforcement. The retailer stated that unauthorized parties obtained the usernames and passwords from unrelated breaches at other companies.
-
The company contacted customers that may have been impacted and required them to change their passwords. Warby Parker stated that there is no indication that the attacks were successful in allowing unauthorized access to payment card information.
Dive Insight:
As retail security attacks go, the estimated number of people that may have been impacted is relatively low compared to other attacks (last year's Shein data breach affected 6.4 million accounts, for example). There doesn't appear to be any proof that the attack was successful, despite occurring over a period of two months.
The credentials that were used in the attempted attacks on Warby Parker are believed to have been stolen in separate, previous attacks on other companies. This is an example of how a successful data breach affecting one company and its customers can have a ripple effect across other companies and industries — especially if customers fail to change their username and passwords on accounts they hold with other businesses.
In fact, password reuse is a widespread problem. A study commissioned last year by identity theft intelligence firm 4iQ found that almost half of surveyed consumers admitted to reusing account passwords across multiple websites.
The threat of data breaches is already a problem in retail, one that retailers seem to have few ideas about how to fight effectively. More companies have started to pursue greater protection measures, but the lack of urgency with which their own customers may try to protect themselves, including failing to use different passwords on different accounts, can make data breaches an even tougher problem to fight.
In light of the breach, Warby Parker announced a continuation of investing in tech designed to protect security and privacy.