What Happened
In October 2024, a threat actor using the alias “Satanic” announced the theft of 57 million customer records from Hot Topic, Torrid, and BoxLunch retail chains. The breach ranks among the largest retail data compromises in history, exposing customer names, email addresses, physical addresses, phone numbers, purchase histories, dates of birth, and approximately 25 million credit card numbers encrypted with a weak cipher.
The attacker initially demanded a $100,000 ransom from Hot Topic, later reducing the demand to $20,000. When Hot Topic did not respond, the data was listed for sale on a hacking forum for $20,000. As of early 2026, Hot Topic has not publicly acknowledged the breach or notified affected customers.
How They Got In
The breach originated through Hot Topic’s Snowflake cloud data warehouse account, part of a broader campaign by threat actor group UNC5537 that affected over 160 Snowflake customers in 2024.
A third-party contractor working with Hot Topic was infected with infostealer malware that harvested their Snowflake credentials. Because Hot Topic’s Snowflake account did not have multi-factor authentication enabled, the stolen credentials provided direct access to the cloud database containing years of customer transaction data.
The attackers accessed the Snowflake environment multiple times between October 2024 and when the breach was publicly disclosed, exfiltrating approximately 730 GB of data.
Data Exposed
The stolen database contained customer records spanning years of purchases across all three retail brands.
Personal information included full names, email addresses, physical addresses, phone numbers, dates of birth, and gender. Purchase data covered transaction histories, loyalty program points, and store preferences. Payment information included approximately 25 million credit card numbers with partial expiration dates, though the data was encrypted.
Security researchers noted the encryption used on credit card data was weak and potentially reversible, increasing the risk of payment card fraud.
Broader Snowflake Campaign
Hot Topic was one of over 160 organizations victimized in the Snowflake credential theft campaign during 2024. Other victims included Ticketmaster (560 million records), Neiman Marcus (31 million), Advance Auto Parts (79 million email addresses), and AT&T.
The common factor across all Snowflake breaches was the absence of multi-factor authentication on cloud accounts, combined with credentials harvested through infostealer malware infections on employee or contractor devices.
Mandiant attributed the campaign to UNC5537, a financially motivated threat actor that systematically targeted Snowflake customers using credentials purchased from infostealer logs.
Response and Aftermath
Hot Topic’s lack of public acknowledgment of the breach drew criticism from security researchers and privacy advocates. The company did not file breach notifications with state attorneys general or notify affected customers directly.
Have I Been Pwned, the breach notification service, added the Hot Topic data to its database in late 2024, allowing individuals to check if their information was exposed.
Lessons Learned
The Hot Topic breach demonstrates critical cloud security failures. Multi-factor authentication on cloud data warehouses is essential, particularly for environments containing sensitive customer data. Third-party contractor security directly impacts enterprise security, as infostealer infections on contractor devices provided the initial access vector. Weak encryption provides false security when attackers have direct database access.
Organizations using Snowflake and similar cloud data platforms should enforce MFA on all accounts, implement IP allowlisting, monitor for anomalous data access patterns, and ensure third-party contractors meet minimum security requirements.