Aug 232015

AutoZone, a leading American retailer of auto parts, has reportedly been hacked by @JM511.

This afternoon, JM511 announced the hack of the site on Twitter. The linked paste included 49,967 customers’ details: billing addresses (street and city), email addresses, hashed passwords, telephone numbers, customers’ cities, and dates of birth.

Although the passwords were hashed, JM511 provided the password hash in the paste.

While no financial data was dumped, JM511 informs that he acquired other data concerning AutoZone customer orders that he did not dump. AutoZone may recognize the following fields:

ipaddy cc_ccv cc_type currency cc_start cc_issue cc_owner cc_number po_number cc_expires billing_name account_name payment_info billing_city orders_status delivery_name delivery_city last_modified cc_bank_phone

If you ordered from AutoZone, change your password for that site and for any other site where you may have used it. And although JM511 is not dumping any payment card data, it’s always a good idea to remain vigilant and check your statements. After all, if he could get the data, so could someone else.

Update1: Post-publication, JM511 informed that he had actually obtained customer information on 162,000+ customers, but decided to dump data on only 50,000.


  9 Responses to “50,000 AutoZone customers’ data hacked, exposed (update1)”

  1. Canadians and Quebec-Canadians (we must distinguish due to jurisdictions 😉 )
    in that data dump.

    I wonder if AutoZone notified the Privacy Commissioner of Canada of their data breach?

    • I wonder if AutoZone even knows they’ve been hacked despite attempts to notify them via Twitter because there’s not a single link on their web site for reporting a security breach.

  2. As far as I know, and I could be wrong and would have to double check, there is mandatory reporting of breaches to PrivCom. The section not yet in effect are the 100,000$ fines for not reporting a breach (in effect in 2017 I think). However, this could affect an outcome/decision maybe since no one would get breach notification.

    In effect, mandatory reporting is pretty much toothless. Nothing would come of it if they chose to ignore it. Not sure about the States and else-where.

    Calling 1-800-741-9179 as detailed in their privacy policy. It gives me the “rewards card program” WTF???

    On phone now. They seem to know nothing… on hold as they look into it… Had to explain it a couple of times. Told them no notice on site, or to people, twitter account appears to be ignoring it. I see addresses/phone numbers of people near me in Canada in the data dump. Stated C/C’s also apparently compromised.

    coffee cup is empty and i’m on hold. This sucks. 5-min on hold now. Jonesing for coffee…

    k… “they are fixing their website now , as we speak,so it doesn’t show”. I was confused at this reply. I asked um what about the data now out everywhere, you are aware of that right? You’ve been hacked. They said yes. I asked if there will be notification to people affected, they said they will inform people. Left it like that, person didn’t seem to know much.

    I should have asked for a diff number, but coffee fix got the best of me.

    So there, they now know for sure. I think… was a confusing reply. I don’t think their people know how to handle this type of call when calling the number given in their privacy policy. ah well, the darknet loves them.

  3. This states the site was hacked, which is the commercial site. is the consumer site. Were both compromised?

    • Not sure. I’ll try to find out from the hacker. Stay tuned.

    • Confirmed that it’s AutoZonePro. If you have questions as to whether your data was caught up in the hack, you might contact AutoZone and ask them, although they did tell another commenter that they would be notifying those affected.

  4. My card number was stolen and $500 was spent on my CC. The charges were fraudulent and it happened the day this hack occurred. I am now currently working with the bank and local police. IDK if I’ll ever pay with card from this store again.

    • I’m not aware of this hacker ever dumping, selling, or using credit card data from hacks he’s done. This was the AutozonePro site only, too. Had you made a purchase on that site or on the regular Autozone customer site?

      In any event, sorry to hear what you’ve gone through.

Sorry, the comment form is closed at this time.