Levi Strauss & Co.

Summary

Levi Strauss & Co. disclosed a credential stuffing attack on June 13, 2024, that affected over 72,000 customers. Attackers used compromised credentials from third-party sources to gain unauthorized access to customer accounts.

Attack Vector

The breach involved a credential stuffing attack where attackers used combinations of email addresses and passwords obtained from third-party data breaches to gain unauthorized access to Levi Strauss customer accounts. The attack was detected and stopped on the same day it occurred.

Consumer Impact

Exposed data includes customer names, email addresses, order histories, and partial payment details. While payment information was partially exposed, Levi Strauss's systems do not authorize the use of saved payment methods without secondary authentication, and no fraudulent orders appear to have been made. The company has faced criticism for not offering identity theft protection services to affected individuals despite the severity of the breach.

Response

Levi Strauss & Co. deactivated account credentials for all affected user accounts and enforced mandatory password resets after detecting suspicious activities. The company electronically notified affected customers on June 21, 2024, eight days after the incident. The swift detection and response on the same day as the attack helped limit potential fraud from the compromised accounts.