There are a variety of ways that hackers can infiltrate a company’s network and steal users’ information. J. Crew Group, a clothing retailer with various online retail shopping sites and nearly 500 brick-and-mortar stores, recently announced that it had discovered a J. Crew data breach of the company’s servers in April of 2019, and has traced the breach back to a tactic known as credential stuffing.

Credential stuffing is a growing problem and has exploded since 2018, mostly because the necessary information is available for sale online and anyone with a little bit of know-how can do it. It can happen when anyone reuses their email addresses and password on multiple accounts. According to the Identity Theft Resource Center’s 2019 Data Breach Report, 83 percent of people use the same password for more than one account. If your information is ever stolen in a data breach and you have used that same username and password combination on other websites or apps, a hacker who accessed your stolen information—or someone who buys your stolen information on the Dark Web—can test out your credentials on other sites.

J. Crew’s investigation found that information such as names, billing and shipping addresses and the last four digits of stored payment cards were accessed in the J. Crew data breach by outsiders who relied on this method of breaking in. Other details were compromised, but nothing permanent like birthdates or Social Security numbers.

This is just one of many reasons why it is important to establish strong, unique passwords on all of your accounts, no matter how sensitive or inconsequential they may seem.

The company has completed a forced password reset and issued data breach notification letters. Anyone whose information was exposed in the J. Crew data breach can also contact the Identity Theft Resource Center’s toll-free number at 888.400.5530 or via the website’s live chat feature to speak with an expert advisor if they need more information. This resource can also help you come up with actionable steps if you need them.

In this or other data breaches, ITRC’s free ID Theft Help App can help you too. Simply download it from your device’s preferred app store in order to keep tabs on your specific incident and monitor what actions you have taken. You can even reach out to the ITRC for assistance directly through the app.


You might also like…

A RailWorks data breach has left many unanswered questions. When a company issues a data breach notification, it can be difficult to know what to do. RailWorks, a US-based transportation infrastructure company, reported a data breach due to a ransomware attack that may have affected an estimated 3,500 employees, former employees and their family members.

While the company knows what kinds of personal information was compromised, names, birthdates, Social Security numbers and much more, there are also many unanswered questions about the RailWorks data breach.

  1. How did the ransomware infect the system?
  2. What kind of ransomware was used in the attack?
  3. What did the hackers do with the stolen information?
  4. How did RailWorks unencrypt its system?
  5. How was the breach discovered?

What is clear is the step that RailWorks is taking to protect those who were affected. In addition to the notification letter, RailWorks is providing a year of comprehensive identity theft protection. This includes credit monitoring from all three credit reporting agencies, up to one million dollars in identity theft insurance and an anti-phishing app.

As some of the victims of this breach were minors, there are special considerations to be taken into account. For example, RailWorks recommends that the victims place a freeze on their credit reports in order to stop anyone from using their stolen information. That process is a little more involved if the person who needs this protection is a child.

If you ever receive a data breach notification letter, you might have questions too. Even if you do not understand what the impact of the RailWorks data breach could be, if you are offered identity theft protection or credit monitoring, it is suggested to take advantage of the offer.

If you need further assistance on the RailWorks data breach or any other breach event, you should also contact the Identity Theft Resource Center. Our expert advisors can help you via toll-free phone call (888.400.5530) or the website’s live chat feature, and they can answer any questions or concerns you may have.


You might also like…

A recent Whisper accidental overexposure is shedding light on the importance of online security. In 2012, the Whisper app was launched to be a completely private and anonymous chat with others. The point was that users could share their deepest, darkest secrets with other users without having to worry about anyone finding out who they were.

From the very beginning, Whisper has been plagued with privacy concerns, notably after experts discovered that “anonymous” does not mean what most users thought it did. The company and the app’s developers were tracking geographic locations and coordinates of where users posted, their devices’ unique IP addresses and more.

Now, a Whisper accidental overexposure has occurred. The newly discovered database of information that was not password protected—and therefore was visible to anyone on the internet—shows that the company was also keeping up with the content the users posted as well. Secrets, sexual orientations that had not been made public, explicit fantasies and sexual “adventures,” and other very sensitive information for about 900 million “whispers” were all stored in the database. Worse, some of the accounts belonged to users who listed their ages as young as fifteen years old. In fact, more than one million of the account entries were for that age alone.

All of the information that was harvested and collected in a single database had been shared as a “public” post on the app. However, the researchers argue that did not mean “public to anyone on the internet,” especially the posts belonging to minors or ones that were sexually explicit in nature. The database exposed in the Whisper accidental overexposure was an aggregation of all these whispers combined with usernames, genders, sexual orientations if listed and geographic locations. Although the information exposed did not include names, information such as geographic locations and coordinates, and IP addresses could be pieced together along with data from other data breaches to find the real identities of the Whisper users. As highlighted in the 2019 End-of-Year Data Breach Report, with unsecured data comes the question of whether the data was accessed by criminals, and unfortunately, the question is often answered when the user’s information is posted online for sale.

Users of this app or any other that claims to be safe, private or anonymous need to understand that in the world of technology, that is not exactly the definition you might be used to. Remember, if any app or platform is free for you to use, someone is making money off of it somehow. It might be through targeted advertising, selling your profile information or other mechanisms that allow the creators to turn a profit. It is important to find out how the app’s creators stay in business before you sign up.

If you think you may be a victim of identity crime, contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For the latest scams, sign-up for our TMI (Too Much Information) Weekly newsletter.


You might also be interested in…

On March 2, 2020, Carnival Corp. announced that two of its cruise lines were impacted by a Carnival cruise line data breach. Unknown numbers of employees and customers of Princess line and Holland America line may have had their complete identities compromised, including names, addresses, Social Security numbers, government-issued travel numbers and more. The Carnival cruise line data breach appears to have occurred as a result of a targeted email attack that included deceptive communications, which are most likely part of a phishing attack.

In a phishing attack, scammers send out messages to hundreds or even thousands of email accounts, hoping to snare a few victims. In the case of these messages, the company’s statement appears to say the emails were directed at employees.

Spearphishing, as it is known, is a specific type of phishing attempt that happens when someone targets employees within a company with emails that look like real business-related messages. The goal is to trick the employee into downloading harmful software, sending over sensitive information, providing usernames and passwords or even transferring money to the scammers.

Carnival is taking steps to help those who have been affected by the Carnival cruise line data breach. While their investigators have not discovered any signs that the stolen information has been used maliciously, the company is offering free credit monitoring for the victims.

Also, anyone who is affected by a data breach can take the following steps:

  1. Update your passwords on all of your sensitive accounts.
  2. Place a freeze on your credit report by contacting the three credit reporting agencies.
  3. Monitor your accounts for any signs of unusual activity.

Anyone whose information was exposed in the Carnival cruise line data breach can also contact the Identity Theft Resource Center’s toll-free number at 888.400.5530 or via the website’s live chat feature to speak with an expert advisor. This resource can help you come up with an action plan.

The ITRC’s free ID Theft Help App will also let you keep record of your case steps and provide you with proof of what actions you have taken. This is important since some recent data breach settlements have required victims to provide proof for cash payouts.


You might also like…

On Thursday, March 4, 2020, T-Mobile disclosed a breach that impacted employees and customers. T-Mobile posted two separate data breach notification letters on their website. The first states that there was a malicious attack against their email vendor that led to unauthorized access to certain T-Mobile employee accounts, some of which contained account information for T-Mobile customers and employees. The second breach notification letter also states there was a malicious attack against their email vendor. However, it says personal information like names, addresses, Social Security numbers, financial account information, government identification numbers, phone numbers and billing account information could have been exposed for some customers and employees.

The U.S. telco is sending out SMS notifications to all impacted users about the T-Mobile breach. Users who just had account data exposed are getting different notifications than those who had sensitive data exposed.

It is not yet known how many employees and customers were affected by the T-Mobile breach. However, the company is recommending to customers that they change their PIN numbers on their T-Mobile accounts. T-Mobile is also offering free credit monitoring and identity theft detective services that are being provided by TransUnion, for those that had sensitive information exposed. Those that have the option to have monitoring will receive a separate letter with details.

In the notification letters, T-Mobile has emphasized how seriously they take the security of every customer and employee, and that they are working to further enhance their security to stay ahead of this type of activity.

While there is nothing you can do to prevent yourself from falling victim to a data breach, there are things you can do to reduce your risk.

  • Be alert for phishing emails by a scammer that acts like they know who you are or that they are a company you do business with. Only respond to emails if you know the recipient or are expecting the email.
  • Keep an eye out for suspicious activity. You can do that by regularly reviewing and monitoring your accounts and credit history for any unauthorized transactions.
  • If you believe you have fallen victim to identity theft, file a police report. You can also contact the Federal Trade Commission or the State Attorney General to learn more about the proper steps to take.

If you believe your information was exposed as part of the T-Mobile breach, the Identity Theft Resource Center urges you to call us toll-free at 888.400.5530 to speak with an expert advisor who can help you create an action plan and tell you who to contact and what to say. You can also live chat with an advisor.

The ITRC also encourages you to download our ID Theft Help App that will allow you to track your case and provide proof of what you have completed, which is more important now than ever with recent data breach settlements requiring victims to provide proof for cash payouts.


You might also like…

A Walgreens data exposure from the company’s mobile app exposed the information of 6,681 customers according to HIPAA Journal. This latest hack is an example of another way your data can be leaked.

Mobile apps are currently one of the retailers’ best tools for engaging customers, developing a loyal following and increasing sales. With these handy smartphone downloads, customers are more likely to return to that place of business and take advantage of special offers that can save them money. Retail apps in certain industries like health and fitness can even make a positive impact on users’ well-being.

The Walgreens pharmacy app, which has had tens of millions of downloads, makes it easy for customers to order their refills, check up on their prescriptions and much more. Unfortunately, a “bug” in the app’s code leaked personal messages that could have contained names, prescription information and some customers’ shipping addresses for app-based orders.

The sample data breach notification letter that Walgreens filed with the state of California stated that the company itself discovered the error in the app. Fortunately, that means the Walgreens data exposure might have been discovered before anyone could use the disclosed information or messages for harm. Walgreens has not issued any examples of what kind of harm could come from the Walgreens data exposure, but they have told patients to monitor their Walgreens accounts and keep tabs on their prescriptions.

It is worth noting that no financial information or permanent identifying information (like Social Security numbers) was exposed as part of the Walgreens data exposure. Also, no health insurance information was compromised. Because of that, no one has to worry about someone ordering prescriptions in a customer’s name.

While this might seem like a minor form of a data breach, it should still serve as a reminder that all of the information we choose to share online or in the cloud could be accessed by someone with the right know-how, or by a faulty piece of code in an app or website. It also highlights the fact that using some of this technology means placing trust in others’ ability to protect that information. If you do not feel confident in how your data will be stored or what information about you will be collected, think twice about downloading or using that technology.


You might also like…

Medical data breaches can be some of the most damaging breaches because of the types of personal information that hospitals collect. Combine that with the sensitivity of a child’s personal information and there is a potential for child identity theft – medical and financial. San Diego’s Rady Children’s Hospital is just the latest hospital to suffer a data breach. While the Rady Children’s Hospital data breach did not include Social Security numbers, credit card numbers, radiology images, radiology reports or diagnosis, it did include patient names, gender, and in some instances, dates of birth, medical record numbers, parent/guardian names, descriptions of imaging studies and the names of referring physicians.

The hospital learned of the potential incident on January 3, 2020. After an investigation, it was determined that patient names, gender and date and type imaging studies were accessed without authorization through an internet port between June 20, 2019 and January 3, 2020.

The hospital is notifying the 2,360 patients whose information may have been exposed in the Rady Children’s Hospital data breach and providing them with the steps they can take to protect their personal information. In a press release, the hospital states that any patient or legal guardian who receives a letter should review the steps that are outlined in the letter to protect their personal information. The hospital has also provided a toll-free number for people to call who might have questions about the incident (844.902.2025.)

The Rady Children’s Hospital data breach is an example of how thieves might get the personal information of children. However, there are things that the parents can do to reduce their child’s likelihood of falling victim to identity theft following this data breach.

Some red flags of medical identity theft could include:

  • Calls from collection agencies regarding bills or credit cards in your child’s name
  • Your child is denied government assistance or medical insurance because income or benefits have already been assigned to the child’s Social Security number
  • Receiving a medical bill in your child’s name for treatments/services they never received

Keep a close eye on any accounts that may come up in your child’s name. It is recommended to check your child’s credit report because children should not have a credit report in the first place. If one is discovered, parents/legal guardians need to consider placing a freeze on their account and disputing any suspicious activity. Additionally, because of the types of data available in the breach, the potential of a longtail impact to minors is a very real threat. With key information like parents’ name and date of birth, there could be potential risks for children well after the incident is resolved.

If you believe your child may have been the victim of identity theft or their/your information was exposed from the Rady Children’s Hospital data breach, you can call the Identity Theft Resource Center toll-free at 888.400.5530 to speak with one of our advisors. You can also live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


A Department of Defense data breach has exposed the complete identities of potentially multiple high-ranking individuals, emphasizing the importance of businesses increasing their security protocols, and consumers monitoring and freezing their credit reports.

 When hackers break into a computer network, there are varying degrees of harm they can cause depending on what they are able to access. If they are able to install ransomware on the network and lock up the entire system, they might expect a handsome payoff. If they steal a database of customers’ names and emails, they might sell that information to spammers or use it for phishing attacks. However, when hackers manage to get complete identities—meaning names, birthdates, Social Security numbers and more—the possibilities are endless.

Considered a “Holy Grail” of identity theft, a complete record lets the hackers open new lines of credit, submit fraudulent tax returns, apply for government benefits or buy a house. And that is just in the short-term. They can continue using that identity potentially forever, and they can even sell it to other criminals who will do the same thing. The end result can be a never-ending spiral of ongoing identity theft.

Unfortunately, a 2019 Department of Defense data breach has exposed the complete identities of an undisclosed number of people. The real concern is the specific agency in question: the Defense Information Systems Agency, or DISA, which handles IT support and all secure communications for the President, the Vice President and the Secret Service, just to name a few.

The group within the government that is tasked with protecting top-secret communications was infiltrated by hackers, and there is no word yet as to who it was and how much information they accessed. While DISA works on tightening its security protocols and systems, the individuals impacted by the Department of Defense data breach were issued a notification letter of the breach. The usual steps, like free credit monitoring for one year, are in place for those victims. In the meantime, this serves as yet another reminder that we all must be diligent about monitoring our credit reports, placing freezes on our credit reports if we do not need to use our credit soon, keeping our passwords up-to-date and other similar steps.

You might also like…

Last summer, MGM Resorts disclosed an MGM data breach that affected around 10 million guests of the hotel company, including some fairly high-profile clients. The data, which included names, addresses, phone numbers and email addresses appears to have not included sensitive things like payment card information or Social Security numbers. However, that does not mean the information is useless, and it certainly has not stopped hackers from posting the stolen data for sale on the Dark Web.

There are a few different reasons why hackers might target a company or website. They might want to steal information, such as in the case of the MGM data breach, or install malicious software on the company’s servers. They might simply want the “credibility” of breaking into a secure site and bragging about it later, or even the ability to protect the public, as in the case of “white hat hackers” who infiltrate a company in order to show them their own defense weaknesses.

In the case of the MGM data breach, the goal seems to have been profit. The database of information—which included records that claim to belong to Justin Bieber, Twitter CEO Jack Dorsey, U.S. government officials and even a Secret Service agent—has now been discovered for sale online.

What can criminals do with this stolen information once they buy it from the hackers? After all, it does not contain any permanent identifiers or financial account records.

The end goal for this kind of sale is to grab up the email accounts and use them for targeted spam. It could be the annoying kind of spam that floods your inbox with ludicrous consumer offers, but it could also be the dangerous kind. For example, if the hacker wants to infiltrate a government computer, they might send an email with an embedded virus to a former guest with a .gov email address. In order to get the recipient to click the link, the email just has to look like it came from MGM Resorts—or another company the person does business with—and offer some plausible reason why the recipient should open the file.

From there, the malicious software, virus or even ransomware can be installed on the victim’s computer, and then the senders can move forward with whatever plan they intend.

In order to protect yourself from this kind of attack, there are some things you can do to be more proactive. No one can prevent every cyberattack, of course, but you can at least try to slow the bad guys down.

  1. Throwaway email account – Establish an email account that you use specifically for things like booking travel, online shopping or even signing up for gaming apps. There is no reason to use your work email or “official” email for those kinds of activities.
  2. Develop good habits – Never click a link, open an attachment or download a file that you were not specifically expecting. Even if it looks like it comes from someone you know or a company you do business with, it could be spoofed and therefore could be harmful.
  3. Stay up to date on data breaches – Any time there is a data breach and you are informed that your information may have been compromised, that should serve as another reminder that a wave of spam or fake emails is coming your way. Be on the lookout for anything unusual and stay away from those embedded dangers.

For more information on data breaches like the MGM data breach and what they could mean to you, go to idtheftcenter.org and check out the free Breach Clarity tool that helps consumers understand their risks and take the proper steps to protect their identity.

You might also like…