Security Experts:

Connect with us

Hi, what are you looking for?



Bed Bath & Beyond Blames Password Reuse for Hacked Accounts

Retail giant Bed Bath & Beyond revealed in a recent filing with the U.S. Securities and Exchange Commission (SEC) that some online customer accounts were accessed by a third party.

Retail giant Bed Bath & Beyond revealed in a recent filing with the U.S. Securities and Exchange Commission (SEC) that some online customer accounts were accessed by a third party.

“Bed Bath & Beyond Inc.discovered that a third party acquired e-mail and password information from a source outside of theCompany’s systems which was used to access less than 1% of the Company’s online customer accounts,” the company said.

While there has been a lot of speculation regarding the incident, Bed Bath & Beyond told SecurityWeek that its investigation determined that the abused usernames and passwords were likely acquired as a result of a breach at a different company and the attackers relied on the fact that many users set the same password for multiple accounts.

The company’s representatives said they could not provide an exact number of affected accounts, but they confirmed that the incident impacted less than 1% of online customer accounts.

Bed Bath & Beyond has started notifying impacted customers on October 29. The retailer said no payment cards were compromised as a result of the incident.

The company has hired a security forensics firm to investigate the incident and claims to have implemented mitigation measures.

“Due to the limited nature of the security incident and the Company’s cyber incident insurance coverage, the Company does not expect this security incident to have a material adverse effect on its results of operations, cash flows or financial condition for any fiscal period,” Bed Bath & Beyond said in the SEC filing.

Earlier this year, Bed Bath & Beyond informed some customers that their payment card information may have been illegally obtained by one of its call center employees in charge of processing orders over the phone.

Related: Ticketmaster Blames Third Party Over Data Breach

Related: Cybercriminals Target Amazon Third-Party Sellers With Password Reuse Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.