Hackers hit Warby Parker with credential stuffing attack that impacted 198,000 customers

• The hackers began their unauthorized activity on September 25 and this continued through late November.
• The attackers are believed to have viewed certain customers’ store prescription and profile data.

Around 198,000 customers of Warby Parker may have been affected by a credential stuffing attack. The identity of the attackers that targeted the eyewear retail chain currently remains unknown. However, the company confirmed that the attack went on for over a month.

About the breach

The hackers reportedly began their unauthorized activity on September 25. However, the attack continued through late November. The attackers are believed to have viewed certain customers’ store prescription and profile data. The hackers could also have placed orders by leveraging victims’ stored payment card details.

Meanwhile, Warby Parker has confirmed that individuals who repeatedly use the same credentials across multiple accounts are the primary targets of the attack. The firm added that there is no evidence of any payment card information having been stolen.

Addressing the problem

In response to the event, the company notified the customers whose information was potentially compromised in the data breach. It urged them to change their account passwords and monitor their order histories for any unknown purchases. The eyewear company has also notified the local law enforcement agency about the breach.

“Customer privacy and security is a key priority for us,” said Dave Gilbao, co-founder and co-CEO of Warby Parker, SC Magazine reported. “We have reset passwords for potentially affected customers, and we apologize for the inconvenience this may cause them. We want to thank our customers for their patience as we work to protect the security of their data. We have reported this matter to law enforcement and are actively cooperating with them.”