50,000 AutoZone customers’ data hacked, exposed (update1)

AutoZone, a leading American retailer of auto parts, has reportedly been hacked by @JM511.

This afternoon, JM511 announced the hack of the AutoZonePro.com site on Twitter. The linked paste included 49,967 customers’ details: billing addresses (street and city), email addresses, hashed passwords, telephone numbers, customers’ cities, and dates of birth.

Although the passwords were hashed, JM511 provided the password hash in the paste.

While no financial data was dumped, JM511 informs DataBreaches.net that he acquired other data concerning AutoZone customer orders that he did not dump. AutoZone may recognize the following fields:

ipaddy cc_ccv cc_type currency cc_start cc_issue cc_owner cc_number po_number cc_expires billing_name account_name payment_info billing_city orders_status delivery_name delivery_city last_modified cc_bank_phone

If you ordered from AutoZone, change your password for that site and for any other site where you may have used it. And although JM511 is not dumping any payment card data, it’s always a good idea to remain vigilant and check your statements. After all, if he could get the data, so could someone else.

Update1: Post-publication, JM511 informed DataBreaches.net that he had actually obtained customer information on 162,000+ customers, but decided to dump data on only 50,000.


About the author: Dissent

9 comments to “50,000 AutoZone customers’ data hacked, exposed (update1)”

You can leave a reply or Trackback this post.
  1. Anonymous - August 24, 2015

    Canadians and Quebec-Canadians (we must distinguish due to jurisdictions 😉 )
    in that data dump.

    I wonder if AutoZone notified the Privacy Commissioner of Canada of their data breach?

    • Dissent - August 25, 2015

      I wonder if AutoZone even knows they’ve been hacked despite attempts to notify them via Twitter because there’s not a single link on their web site for reporting a security breach.

  2. Anonymous - August 25, 2015

    As far as I know, and I could be wrong and would have to double check, there is mandatory reporting of breaches to PrivCom. The section not yet in effect are the 100,000$ fines for not reporting a breach (in effect in 2017 I think). However, this could affect an outcome/decision maybe since no one would get breach notification.

    In effect, mandatory reporting is pretty much toothless. Nothing would come of it if they chose to ignore it. Not sure about the States and else-where.

    Calling 1-800-741-9179 as detailed in their privacy policy. It gives me the “rewards card program” WTF???

    On phone now. They seem to know nothing… on hold as they look into it… Had to explain it a couple of times. Told them no notice on site, or to people, twitter account appears to be ignoring it. I see addresses/phone numbers of people near me in Canada in the data dump. Stated C/C’s also apparently compromised.

    coffee cup is empty and i’m on hold. This sucks. 5-min on hold now. Jonesing for coffee…

    k… “they are fixing their website now , as we speak,so it doesn’t show”. I was confused at this reply. I asked um what about the data now out everywhere, you are aware of that right? You’ve been hacked. They said yes. I asked if there will be notification to people affected, they said they will inform people. Left it like that, person didn’t seem to know much.

    I should have asked for a diff number, but coffee fix got the best of me.

    So there, they now know for sure. I think… was a confusing reply. I don’t think their people know how to handle this type of call when calling the number given in their privacy policy. ah well, the darknet loves them.

    • Dissent - August 25, 2015

      Good job trying to get confirmation. Thanks!

  3. KJH - August 25, 2015

    This states the site autozonepro.com was hacked, which is the commercial site. autozone.com is the consumer site. Were both compromised?

    • Dissent - August 25, 2015

      Not sure. I’ll try to find out from the hacker. Stay tuned.

    • Dissent - August 26, 2015

      Confirmed that it’s AutoZonePro. If you have questions as to whether your data was caught up in the hack, you might contact AutoZone and ask them, although they did tell another commenter that they would be notifying those affected.

  4. Tay - August 31, 2015

    My card number was stolen and $500 was spent on my CC. The charges were fraudulent and it happened the day this hack occurred. I am now currently working with the bank and local police. IDK if I’ll ever pay with card from this store again.

    • Dissent - August 31, 2015

      I’m not aware of this hacker ever dumping, selling, or using credit card data from hacks he’s done. This was the AutozonePro site only, too. Had you made a purchase on that site or on the regular Autozone customer site?

      In any event, sorry to hear what you’ve gone through.

Comments are closed.