Popular online retailer Zazzle is warning customers of a possible data breach after it detected a brute-force data security attack in July. In an email sent to affected customers, the company said hackers attempted to brute-force hacking techniques to break into users' accounts using passwords stolen in an earlier breach from another unnamed website.
"During this data breach, some unauthorized login attempts to Zazzle accounts were made," the company said in the email. Zazzle said it believes that its customers' user names and passwords were stolen "by an unauthorized third party through a breach of other website(s)". The hackers then tried to verify the stolen credentials on Zazzle's website, the firm said.
Zazzle's chief technology officer Bobby Beaver told ZDNet that "thousands of accounts" were affected but it represented "a small percentage of accounts." However, the company said that its own systems were not hacked in the cyberattack.
The online marketplace has reset the passwords of affected users' accounts. Customers will be prompted to choose a new password for their account when they next visit the site and log in.
"The reset procedure we referenced requires the user reconfirm their email address by sending a security token to that email address," said Beaver. "As such, a malicious actor could not reset the password for the account - unless they had access to the email account itself, which is not in our control."
Zazzle has also advised customers who use the same or similar passwords across a number of websites and platforms to reset their passwords as well.
"In addition, Zazzle implemented a CAPTCHA on its website to prevent logins by automated means," the company said. "Zazzle is currently evaluating safeguards and monitoring agents to deter these attacks going forward."
The company reported the breach to the Office of the Attorney General in California on Friday (25 August).
The latest cyberattack comes almost a year after it suffered two breaches in August 2016. The company cited similar circumstances in those incidents as well, saying hackers used credentials stolen in a data breach from "some other website" to infiltrate customers' accounts. The company reset users' passwords and reported the breaches to the Attorney General's office a month later.
IBTimes UK has reached out to Zazzle for comment.