J.Crew says a hacker accessed some customer accounts

Clothing giant J.Crew said an unknown number of customers had their online accounts accessed “by an unauthorized party” almost a year ago, but is only now disclosing the incident.

The company said in a filing on Tuesday with the California attorney general that the hacker gained access to the customer accounts in or around April 2019.

According to the letter, the hacker obtained information found in customers’ online accounts — including card types, the last four digits of card payment numbers, expiration dates and associated billing addresses. Online accounts also store customer order numbers, shipping confirmation numbers and shipment statuses.

A spokesperson for the company confirmed the hacker used a technique known as credential stuffing, where existing sets of exposed or breached usernames and passwords are matched against different websites to access accounts.

The spokesperson said a “small number” of customers were affected but did not say specifically how many.

Companies operating in the state are mandated to warn the state’s attorney general’s office of security incidents involving more than 500 California residents. The letter to the attorney general’s office said it’s a “multi-state” notification, indicating that customers in other states are also affected.

A bigger, unanswered question is why it took J.Crew took almost a year to detect and disclose the incident to regulators and customers.

The spokesperson said “routine web scanning” detected the improper access and that customers were “promptly notified.” It’s not known when the scanning took place or why the account breaches weren’t detected sooner. Under the laws of both California and New York — where J.Crew is headquartered — there’s no specific time period under which a company must disclose a breach, only that customers are notified in “the most expedient time possible and without unreasonable delay.”

J.Crew becomes the latest in a string of companies disclosing security incidents as a result of credential stuffing. Amazon-owned doorbell maker Ring, Chipotle, Spotify and game streaming service Twitch have all seen customers complain of account breaches in the past year.