PetSmart warns customers of credential stuffing attack
Pet retail company PetSmart has emailed customers to alert them to a recent credential stuffing attack.
Credential stuffing relies on the re-use of passwords. Take this example: User of Site A uses the same email and password to login to Site B. Site A gets compromised and those login details are exposed. People with access to the credentials from Site A try them on Site B, often via automation, and gain access to the userβs account.
If the user had different passwords on Site A and Site B, the attacker would have been stopped before they got in to Site B. This is why we are continuously telling people to not reuse their passwords. If all your logins are hard to remember (and they should be), you can use a password manager to help you.
Weβd like to like to praise PetSmart for the way in which it handled the attack, setting a good example by warning customers.
βDear Pet Parent,
We want to assure you that there is no indication that petsmart.com or any of our systems have been compromised. Instead, our security tools saw an increase in password guessing attacks on petsmart.com and during this time your account was logged into. While the log in may have been valid, we wanted you to know.
In an abundance of caution to protect you and your account, we have inactivated your password on petsmart.com. The next time you visit petsmart.com, simply click the βForgot passwordβ link to rest your password. You can also reset your password by visiting www.petsmart.com/account/.
Across the internet, fraudsters are constantly trying to obtain user names and passwords and they often try and test the credentials they find on various websites, like ours. To help keep your accounts secure, remember to use strong passwords for each of your important accounts.
Thank you for your understanding. If you have any questions about this, or any other issue, please feel free to contact us at
customercare@petsmart.com
or 888-839-9638.Sincerely,
The PetSmart Data Security Teamβ
While we donβt agree with everything in the emailβa strong password would not have made a difference hereβit is informative, to the point, and helpful.
Digital Footprint scan
If you were one of those customers and the login was not you, that means the attacker knew your email and password. Maybe they found them in the proceeds of a previous data breach.
Malwarebytes has a tool that can help you find out how much of your own data is currently exposed online. OurΒ free Digital Footprint scan scours the internet to find your exposed passwords and much more. Fill in your email address (itβs best to submit the one you most frequently use) and weβll send you a report.
We donβt just report on threats β we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect yourβand your familyβsβpersonal information by usingΒ Malwarebytes Identity Theft Protection.