It appears the recent Neiman Marcus breach is much larger than the company claims, potentially affecting millions of customers.
The company confirmed the incident in a breach notification filed with the Maine Attorney General’s Office. However, the same document noted that the breach affected just under 65,000 people.
However, BleepingComputer discussed the issue with the founder of HaveIBeenPwned?, a service that notifies people when their email addresses have been exposed in a data breach. Founder Troy Hunt said he has analyzed the stolen data and claims it exposed more than 31 million customer email addresses.
Data for sale
“That’s clearly a substantial number and I want to get them up to speed quickly. The total number of unique addresses I’m referring to is 31,152,842,” Hunt said. BleepingComputer.
I ask Neiman Marcus for comment: BleepingComputer was referred back to the company’s official announcement, meaning it is sticking to its initial estimate of 65,000 people affected.
Sp1d3r is believed to have taken over data from a compromised Snowflake instance.
“Neiman Marcus Group (NMG) recently learned that an unauthorized party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake,” the company said.
Last month, a cybercriminal using the alias Sp1d3r published a new archive on the dark web, claiming to contain sensitive customer data of the American luxury department store chain, stolen from a compromised Snowflake instance.
At the time, they were asking $150,000 for the database, which included the last four digits of social security numbers, customer transaction data, customer email addresses, store information, employee data and more.
A separate announcement on the company’s website said the criminals stole people’s names, contact information, dates of birth, gift card information, transaction data, partial credit card information, Social Security numbers and employee identification numbers.
