Between November 7 and November 8, 2024, Yonex’s official online shop was targeted by a credential stuffing attack that affected 223 customer accounts. This method, which relies on using previously exposed login information to gain unauthorized access, led to potential exposure of personal information for 53 of the affected accounts. Among the exposed data were names, addresses, phone numbers, birth dates, gender, purchase history, and partial credit card details. The attack was detected when a customer reported receiving a suspicious order confirmation, prompting an immediate investigation.
Yonex took swift action after the breach was identified. The company blocked the IP addresses involved in the unauthorized logins and invalidated all affected passwords. Furthermore, it instituted a password change requirement for all customers upon their next login to ensure the safety of their accounts. Fraudulent orders made by attackers were canceled, and the affected customers were notified directly. The company also strengthened its monitoring systems to prevent future breaches.
The personal data exposed in this incident was limited to the information necessary for processing transactions, including names, contact details, and partial credit card numbers (with the full number and security code kept secure). No sensitive financial data like security codes or full credit card numbers was leaked. Additionally, since this attack was conducted using external sources of data, the company clarified that no internal system vulnerabilities were exploited, but rather, unauthorized login attempts were made with stolen credentials.
In response to the attack, Yonex reported the breach to the Personal Information Protection Commission and consulted with the National Police Agency. To help prevent future incidents, the company provided recommendations to its users on improving password security, such as using unique and hard-to-guess passwords. Customers were also advised not to reuse passwords across multiple services and to remain cautious of phishing attempts, as Yonex emphasized that it would never request personal or payment information via email or other communication channels.
