In an attack last spring, a hacker hit J.Crew’s website and accessed sensitive information in some users’ accounts, the company disclosed on Tuesday.
According to a notice hosted by the Attorney General of California’s website, the hacker would have been able to access some users’ personal information, including:
- “the last four digits of credit card numbers you have stored in your account”
- “the expiration dates”
- “card types, and billing addresses connected to those cards”
- “order numbers”
- “shipping confirmation numbers, and shipment status of those orders”
J.Crew blamed “an unauthorized party” for the hack and said it happened “in or around April 2019.” According to reports from TechCrunch and Bleeping Computer, the accounts were accessed with a method called credential stuffing, which uses compromised login info to automatically break into accounts (made possible, in part, because people so often reuse their passwords).
It’s not clear why it took the American clothing brand nearly a year to disclose the hack. Fast Company has reached out to J.Crew for more information.