Neiman Marcus Data Breach: Millions of Emails Exposed, Not Thousands as Previously Claimed

According to recent reports, the Neiman Marcus data breach was much larger than the firm previously acknowledged. 

While Neiman Marcus announced that only approximately 65,000 consumers were affected, security experts estimate the true figure could be in the millions. 

This raises questions about the security of client data and the potential consequences for anyone affected.

Neiman Marcus Data Leak: Investigation Reveals 31 Million Emails Have Compromised

According to Troy Hunt, founder of Have I Been Pwned, a May 2024 data breach announced last month by American luxury retailer and department store chain Neiman Marcus compromised more than 31 million customer email addresses.

Hunt's insights came after the corporation filed a breach report with the Office of the Maine Attorney General, claiming that the issue affected only 64,472 persons.

In a separate incident notification posted on its website, Neiman Marcus disclosed that the data subject in the attack consisted of names, contact information, dates of birth, gift card information, transaction data, partial credit card information (without expiration dates or CVVs), SSN, and employee identification numbers.

Troy Hunt Confirms Huge Email Breach, Neiman Marcus Silent

While studying the data taken in the breach, Hunt discovered 30 million unique email addresses and said that he confirmed the information's legitimacy with other persons whose data was in the stolen database.

Hunt said that:

"That is obviously a large number, and I would like to notify them as soon as possible.  the total number of unique addresses I will be referring to is 31,152,842.”

He stated that:

“About 105,000 Have I Been Pwned customers discovered in the data set would receive an email informing them of the enormous data breach.”

When Neiman Marcus spokesman was asked to confirm Hunt's findings, they declined to comment.

New breach: Neiman Marcus suffered a breach in May which was later posted to a hacking forum. The data contained 31M unique email addresses, name, phone, DoB, physical address and partial credit card data. 76% were already in @haveibeenpwned. More: https://t.co/z0K4rOLtie

— Have I Been Pwned (@haveibeenpwned) July 9, 2024

How Did Information Get Stolen from the Snowflake Database?

Sp1d3r allegedly stole information from a hacked Snowflake database.

According to a statement released by the company:

"Neiman Marcus Group (NMG) recently learned that an unauthorized party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake."

Last month, a threat actor using the fake name Sp1d3r posted a fresh archive on the dark web, claiming to have sensitive data on clients of the American luxury department store chain, allegedly acquired from a corrupted Snowflake instance.

?SOCRadar observed Sp1d3r threat actor claiming a new breach involving Neiman Marcus. Allegedly linked to the #Snowflake incident, the breach includes 70M transactions, customer details, 50M emails, 12M gift card numbers, and more. Sp1d3r is demanding $150k to stop the sale.… pic.twitter.com/ZaV7nbc2Pm

— SOCRadar® (@socradar) June 25, 2024

At the time, they wanted $150,000 for the database, which included the last four digits of people's social security numbers, customer transaction data, customer emails, purchasing records, employment data, and other information.

Neiman Marcus Breach Must be Further Investigated!

There appears to be a major difference in the reported number of affected clients. While Neiman Marcus claims just 65,000 were affected, security researcher Troy Hunt discovered proof of more than 31 million exposed email addresses. 

This emphasizes the urgency of further investigation and disclosure about the extent of the breach.

Use PurePrivacy to secure your online identity and prevent your data from getting in the wrong hands.