PetSmart warns users to beware of potential cyber scams

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

PetSmart was forced to log people out of their accounts and reset their passwords due to an ongoing credential stuffing attack.

The American pet retail giant sent out a security notification to its users telling them that an unidentified threat actor tried to log into people’s accounts via credential stuffing - an automated attack in which the hacker tries infinite username/password combinations until they break into an account. 

"We want to assure you that there is no indication that or any of our systems have been compromised," the breach notification said.

Using accounts for spam

With credential stuffing attacks, it’s virtually impossible to differentiate between regular traffic (i.e. actual user logging into their account) and malicious traffic, which is why PetSmart decided to simply push everyone out and force a password reset, just to be on the safe side.

"Instead, our security tools saw an increase in password guessing attacks on, and during this time your account was logged into. While the log in may have been valid, we wanted you to know,” they added. "In an abundance of caution to protect you and your account, we have inactivated your password The next time you visit, simply click the "forgot password" link to reset your password."

Credential stuffing attacks often work for two reasons: first, people frequently use weak and easy-to-guess passwords, which automated tools can easily crack; and second, some services grant their users unlimited attempts at logging in, which is ideal for hackers with automation tools. Having access to different accounts might sound pointless, but hackers have ways of making use of them. For example, they can use the accounts to spread spam, or malware, to other users who would not expect an attack from a familiar face.

PetSmart is considered one of the biggest retailers for pet products in the US, with more than 60 million customers.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.