Retail giant Bed Bath & Beyond revealed in a recent filing with the U.S. Securities and Exchange Commission (SEC) that some online customer accounts were accessed by a third party.
“Bed Bath & Beyond Inc.discovered that a third party acquired e-mail and password information from a source outside of theCompany’s systems which was used to access less than 1% of the Company’s online customer accounts,” the company said.
While there has been a lot of speculation regarding the incident, Bed Bath & Beyond told SecurityWeek that its investigation determined that the abused usernames and passwords were likely acquired as a result of a breach at a different company and the attackers relied on the fact that many users set the same password for multiple accounts.
The company’s representatives said they could not provide an exact number of affected accounts, but they confirmed that the incident impacted less than 1% of online customer accounts.
Bed Bath & Beyond has started notifying impacted customers on October 29. The retailer said no payment cards were compromised as a result of the incident.
The company has hired a security forensics firm to investigate the incident and claims to have implemented mitigation measures.
“Due to the limited nature of the security incident and the Company’s cyber incident insurance coverage, the Company does not expect this security incident to have a material adverse effect on its results of operations, cash flows or financial condition for any fiscal period,” Bed Bath & Beyond said in the SEC filing.
Earlier this year, Bed Bath & Beyond informed some customers that their payment card information may have been illegally obtained by one of its call center employees in charge of processing orders over the phone.
Related: Ticketmaster Blames Third Party Over Data Breach
Related: Cybercriminals Target Amazon Third-Party Sellers With Password Reuse Attacks