Neiman Marcus data breach exposed millions of user email addresses

Neiman Marcus store
(Image credit: Shutterstock / Jonathan Weiss)

It appears the recent breach at Neiman Marcus is a lot bigger than the company claims, with millions of customers possibly affected.

The company confirmed the incident in a breach notification filed with the Office of the Maine Attorney General, but in the same filing said that the breach impacted just under 65,000 people.

However, BleepingComputer discussed the issue with the founder of HaveIBeenPwned?, a service that notifies people when their email addresses are leaked in a data breach. The founder, Troy Hunt, said he analyzed the stolen data, and claims it exposes more than 31 million customer email addresses.

Data for sale

"That's obviously a substantial number and I do want to get notifications out to them promptly. The total unique number of addresses I'll be referring to is 31,152,842," Hunt told BleepingComputer.

Asking Neiman Marcus to comment, BleepingComputer was referred back to the company’s official announcement, meaning it is sticking to its initial assessment of 65,000 affected individuals. 

Sp1d3r took the data from a compromised Snowflake instance, it was said.

"Neiman Marcus Group (NMG) recently learned that an unauthorized party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake," the company was cited.

Last month, a threat actor with the alias Sp1d3r posted a new archive on the dark web, claiming to hold sensitive data on the customers of the American luxury department store chain, allegedly stolen from a compromised Snowflake instance. 

At the time, they were asking for $150,000, for the database which contained the last four digits of people’s social security numbers, customer transaction data, customer emails, shopping records, employee data, and more.

In a separate announcement on its website, the company said the crooks took people’s names, contact information, birth dates, gift card info, transaction data, partial credit card information, Social Security Numbers, and employee identification numbers.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.