Neiman Marcus data breach exposed millions of user email addresses

Neiman Marcus is still sticking to its initial assessment

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

It appears therecent breach at Neiman Marcusis a lot bigger than the company claims, with millions of customers possibly affected.

The company confirmed the incident in a breach notification filed with the Office of the Maine Attorney General, but in the same filing said that the breach impacted just under 65,000 people.

However,BleepingComputerdiscussed the issue with the founder of HaveIBeenPwned?, a service that notifies people when their email addresses are leaked in a data breach. The founder, Troy Hunt, said he analyzed the stolen data, and claims it exposes more than 31 million customer email addresses.

Data for sale

“That’s obviously a substantial number and I do want to get notifications out to them promptly. The total unique number of addresses I’ll be referring to is 31,152,842,” Hunt toldBleepingComputer.

Asking Neiman Marcus to comment,BleepingComputerwas referred back to the company’s official announcement, meaning it is sticking to its initial assessment of 65,000 affected individuals.

Sp1d3r took the data from a compromised Snowflake instance, it was said.

“Neiman Marcus Group (NMG) recently learned that an unauthorized party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake,” the company was cited.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Last month, a threat actor with the alias Sp1d3r posted a new archive on the dark web, claiming to hold sensitive data on the customers of the American luxury department store chain, allegedly stolen from a compromised Snowflake instance.

At the time, they were asking for $150,000, for the database which contained the last four digits of people’s social security numbers, customer transaction data, customer emails, shopping records, employee data, and more.

In a separate announcement on its website, the company said the crooks took people’s names, contact information, birth dates, gift card info, transaction data, partial credit card information, Social Security Numbers, and employee identification numbers.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Herman Miller Aeron gaming chair review: premium, highly customizable comfort