The home goods retailer says an unauthorized third party acquired emails and passwords to less than 1% of its online customer accounts.

Bed Bath & Beyond Inc. announced this week that a hacker acquired email addresses and passwords for less than 1% of its online account holders between Sept. 4-27.

The unauthorized third party did not access payment card data, the home goods retailer says. Bed Bath & Beyond notified impacted consumers, temporarily locked access to those accounts and provided steps to unlock them.

“We do not know the identity of the third party, however, we do know they used email and password information acquired outside Bed Bath & Beyond and Buy Buy Baby to access a limited number of online accounts,” a spokesman for the retailer says.

A retailer as large as Bed Bath & Beyond likely has many third-party service providers, such as a human resources vendor, a marketing agency and building management software, and the hacker most likely gained access via one of these service providers, says Colin Bastable, CEO of security training company Lucy Security.


“If one of those suppliers is compromised, then the hackers have a way into the main target, perhaps via a hijacked email account,” he says.

For example, what could have happened, Bastable says, is that a Bed Bath & Beyond employee clicks on a link from an email that appeared to be from one of the retailer’s vendors but was actually from the hacker. Then, the hacker used this point of entry to steal the customer data, he says.

Or, a Bed Bath & Beyond employee could have used his email address to log into another site, such as for booking a hotel. If a hacker had stolen data from that hotel’s site, it now has a valid email address. “[The criminal] can send a spoof email, pretending to be that Bed Bath & Beyond person, to a supplier or to a colleague and drop malware that way,” Bastable says.

For a shopper who was impacted, she should ensure she doesn’t use the same password for her Bed Bath & Beyond account elsewhere. In fact, not reusing passwords is one way consumers can protect themselves from fraud, says Mike Lloyd, chief technology officer from cyber security firm RedSeal Inc.


“It’s important to realize that if you use the same password at your bank as you use for less important services like social media or video streaming, then a bad guy only has to break into whichever company has the weakest security, then steal your passwords and use them everywhere else you go,” Lloyd says.

To ensure a breach does not happen again, Bed Bath & Beyond says it has enhanced its security, “including retaining a leading security forensics firm and introducing advanced security solutions tailored to deter third party access,” the spokesman says.

Bed Bath & Beyond is No. 68 in the Internet Retailer 2019 Top 500.