Home goods retailer Bed Bath & Beyond yesterday disclosed in a Securities & Exchange Commission 8-K filing that an unauthorized third party illegally accessed one percent of its online customers’ accounts.

The online intruder acquired the account emails and passwords from a “source outside the company’s systems,” the Union Township, N.J. retailer reported. Based on this account, the incident may have therefore been a case of credentials stuffing, or a third-party data breach or phishing attack.

Payment card information was reportedly not affected.

Bed Bath & Beyond said that in response to the unauthorized access, it hired a forensics firms to investigate, “implemented remedial measures” and “sent notifications to certain customers as required by applicable legal requirements.”

“Due to the limited nature of the security incident and the company’s cyber incident insurance coverage, the company does not expect this security incident to have a material adverse effect on its results of operations, cash flows or financial condition for any fiscal period,” the retailer stated in the filing.

Colin Bastable, CEO of security training and awareness company Lucy Security, said, “The most likely point of entry is through a third-party supplier of services to the company, and the odds are over 90 percent in favor of the attack being initiated by a phishing email, perhaps a spoof email, one that appears to be from someone else.”

“The message for employees is: Don’t use work email addresses on third-party web sites, and learn to spot phishing and spearphishing emails,” Bastable continued. “For affected BB&B customers, the risk is significant. The bad guys don’t need a password to phish you, just a valid email. How do they know that the next marketing email is really from Bed Bath & Beyond?”





