PetSmart warns of credential stuffing attacks trying to hack accounts

Pet retail giant PetSmart is warning some customers their passwords were reset due to an ongoing credential stuffing attack attempting to breach accounts.

PetSmart is the largest retailer in the US, focusing on pets and associated products, with over 60 million customers and 1,600 stores nationwide.

In new email notifications sent to PetSmart customers first seen by DarkWebInformer, the company warns that customers are being targeted by credential stuffing attacks used to gain access to their accounts.

PetSmart reset passwords for any accounts logged in during the credential stuffing attacks to be safe as they could not determine if the logged in user was the account owner or the hackers.

"We want to assure you that there is no indication that petsmart.com or any of our systems have been compromised," reads the PetSmart email alert.

"Instead, our security tools saw an increase in password guessing attacks on petsmart.com, and during this time your account was logged into. While the log in may have been valid, we wanted you to know."

"In an abundance of caution to protect you and your account, we have inactivated your password petsmart.com. The next time you visit petsmart.com, simply click the "forgot password" link to reset your password."

A credential stuffing attack is when threat actors collect login credentials exposed in data breaches and then use those credentials to try to log into other sites.

Once a threat successfully breaches an account, they are used for malicious behavior, including making fraudulent purchases, sending spam, or launching other attacks.

More commonly, the threat actors sell the breached accounts to others, who use them to make purchases, cash in rewards points, or steal money.

Other companies hit in the past with credential stuffing attacks include PayPal, Spotify, Xfinity, and Chick-fil-A, and with more damaging losses, FanDuel and DraftKings.

In May 2023, an 18-year-old was charged with hacking 60,000 DraftKings betting accounts and selling them on a stolen account marketplace called the Goat Shop.

While DraftKings initially stated only $300,000 was stolen via the attacks, the Department of Justice later revealed that $600,000 was stolen from 1,600 compromised accounts.