The brand and the private sales site suffered cyberattacks compromising the data of their respective customers. Access identifiers as well as dates of birth and bank identity statements were notably hacked.
After a year already full of “incidents”, hacking of French companies will continue in 2025! At the beginning of January, two brands specializing in the sale of ready-to-wear clothing were victims of cyberattacks resulting in the theft of several personal information of their respective customers.
“On January 7, the Second Hand by Kiabi site teams detected a cyberattack by ‘credential stuffing,” Kiabi told AFP. According to Southwest which reports the facts, nearly 20,000 customers of the clothing brand are affected. They have since been informed of the cyberattack. Kiabi notably specified that a “IBAN hiding functionality has been added to prevent any recovery of this data” and that customer account passwords had been reset. The brand adds that its site Kiabi.com was not the target of hackers but that it is the site secondsmain.kiabi.com which is concerned.
Cyberattack: Showroomprivé also victim of credential stuffing
The online sales specialist for major brands, Showroomprive.com, was also the victim of a cyberattack at the beginning of January. “Between January 3 and 6, 2025”the site reported a “series of suspicious connection attempts”, specifies the brand in an email addressed to its customers. The latter has taken the necessary measures to stem the problem (password reset) and calls on users to create a new password the next time they log in.
As a security measure, Showroomprivé also advises its customers to change their passwords if they are similar to those used for other sites such as their emails, social networks or even banking services.
Cyberattack: what is it? credential stuffing ?
To extract such information, hackers used a method called ‘credential stuffing’. According to Benoit Grunemwald, Cybersecurity Expert at ESET France, “Credential Stuffing is a succession of identification attempts on online accounts, social networks, messaging or even sales sites. These attempts are based on lists of combinations of identifiers (username and password) stolen or guessed.”
Faced with such practices, companies can limit the cyberattack by choosing one of the three methods exposed by Benoit Grunemwald:
- By establishing a maximum number of attempts in the event that the password is attempted to be guessed
- By adding multi-factor authentication, which takes effect on the first attempt, even if the attacker knows the target’s password. A temporary code is then requested in addition to the password to validate access to the account.
- By using passwordless login mechanisms
According to the specialist, “this type of attack relies on the fact that many users reuse their identifiers on several sites” but also that the passwords chosen by Kiabi and Showroomprivé customers are “easily guessable.” In conclusion, he advises using a password manager (like that of Chrome for example) which allows you to generate “complex and unique passwords for each site” and keep them in a personal database. A practical tool for finding passwords and effective against hacking.