In March 2020, customers of clothing retailer J. Crew received a concerning email from the company warning that hackers might have compromised their usernames and account passwords in a credential-stuffing attack.
According to a filing with the State of California, attackers had grabbed sensitive account information such as credit card types, partial payment numbers, expiration dates and billing addresses. These accounts also store shipping addresses and account balances from inputted gift cards. J. Crew claimed that the attack affected less than 10,000 customers, but the attack had been continuing for nearly a year, making it challenging for the retailer to have full insights into the extent of the attack.