How Hackers Are Breaking Into Big Retail Brands Without Using Malware — And What You Can Learn From It

How Hackers Are Breaking Into Big Retail Brands Without Using Malware — And What You Can Learn From It

In the past year, some of the world’s most well-known retail brands have fallen victim to cyber attacks. These include Adidas, The North Face, Cartier, Victoria’s Secret, Marks & Spencer, Co-op, and even Dior.

What’s shocking is that these attacks didn’t involve high-end malware or advanced hacking tools. Instead, they were identity-based attacks — a growing method where hackers don’t break in. They log in using real usernames, passwords, and system access that wasn’t protected properly.

These attacks happened because of poor identity management, over-trusted third parties, unused admin accounts, and weak access controls in cloud-based services. And because they relied on real credentials and legitimate sessions, they often went unnoticed for a long time.

Let’s look deeper into what happened, how these attacks worked, and how any business — even smaller retailers — can learn from them to protect themselves.

1. Adidas: Trusting the Wrong Third Party Can Open the Door

Adidas didn’t get hacked directly. The breach happened through a third-party vendor they hired for customer service. That vendor got attacked, and as a result, customer data was exposed — including names, emails, and order information.

The issue here wasn’t malware. It was too much access given to a third party, and that access wasn’t taken away after it was no longer needed. This kind of situation is often called a supply chain attack.

Why this matters:
Many companies allow vendors or partners to connect their tools and software using tokens or service accounts. These connections are rarely monitored, and they often don’t expire or require multi-factor authentication (MFA). That makes them easy targets for hackers looking for quiet, hidden ways into your system.

What to take away:
Don’t just protect your employees. Review and manage what third-party systems and vendors have access to your data, and turn off those access points when they’re no longer needed.

2. The North Face: When Password Reuse and No MFA Lead to Trouble

The North Face suffered a credential stuffing attack — which is when attackers try usernames and passwords leaked from other websites to log into customer accounts.

No malware. No phishing. Just weak password habits, reused credentials, and the absence of MFA. Once inside, attackers quietly accessed personal information.

Why this matters:
This was not the first time The North Face was hit by a credential attack. In fact, it was their fourth incident like this since 2020. Many SaaS platforms still don’t enforce MFA, and users often reuse the same password across multiple accounts.

What to take away:
Credential stuffing is still one of the easiest ways for attackers to get in. Every account — especially those connected to SaaS platforms — needs MFA, strong password policies, and protections against multiple failed login attempts.

3. Marks & Spencer and Co-op: Social Engineering Beats Technology

These UK retailers were targeted by a group called Scattered Spider. The attackers used SIM swapping and social engineering to impersonate employees. Then, they called the IT help desks and tricked staff into resetting passwords and MFA settings — giving attackers full access.

No malware, no phishing emails. Just smart social manipulation.

Why this matters:
Attackers know that humans are the weakest link. Even strong security tools can’t stop an employee from being tricked. Once inside, attackers often go after admin-level accounts or service accounts that no one monitors.

What to take away:
Help desk staff need better training to spot social engineering attempts. Security policies should prevent help desk staff from resetting passwords or MFA unless strict verification steps are met. And access to sensitive SaaS tools should always be limited and logged.

4. Victoria’s Secret: When SaaS Admin Accounts Go Unwatched

Victoria’s Secret had to delay its earnings report due to a cyber incident that affected both their website and in-store systems. While technical details were not made public, signs point to the breach coming from within their SaaS platforms — likely from an overprivileged admin account that wasn’t protected properly.

Why this matters:
Many SaaS applications (like those used for managing inventory, processing orders, or handling analytics) rely on internal admin roles. If those roles are misconfigured, or if an attacker takes control of them, the damage can be massive. It doesn’t even require malware — just legitimate access.

What to take away:
Admin accounts should be closely monitored, and access permissions should be reviewed regularly. Just because someone is an admin today doesn’t mean they still need to be one next quarter.

5. Cartier & Dior: Customer Support Platforms Can Be a Hidden Weakness

Cartier and Dior were breached through the SaaS platforms they used for customer service and CRM (Customer Relationship Management). Attackers didn’t go through their internal systems — they targeted external platforms used to help customers.

These platforms are often connected to internal systems using API keys or machine accounts that rarely rotate and are easy to forget about.

Why this matters:
Customer service tools may seem harmless, but they often hold sensitive customer information — and they’re frequently connected to back-end systems. If those non-human accounts aren’t protected, hackers can steal massive amounts of data.

What to take away:
Every SaaS platform connected to your business is part of your attack surface. You should track how customer data flows through these systems and make sure all integrations are secure, especially those using API tokens or service accounts.

So, What’s the Bigger Picture Here?

What all these incidents show is that you don’t need fancy malware or complex exploits to breach a major company. Hackers are getting in by using what's already available — usernames, forgotten tokens, weak passwords, and human mistakes.

They’re exploiting:

• Third-party vendors who still have access

• Passwords reused across different platforms

• Help desk staff tricked into handing over access

• Overprivileged SaaS admin accounts

• Machine identities no one monitors

These identity-based attacks leave no malware, no digital fingerprints, and very few alerts. That’s why they’re so dangerous — and why more and more attackers are using them.

What Can You Do to Protect Your Business?

Whether you’re running a global retail chain or a small e-commerce store, you can take real steps to stop these types of attacks. Here are some security tips every organization should follow:

• Use multi-factor authentication (MFA) everywhere — not just for users, but also for service accounts and integrations.

• Review third-party access regularly. If a vendor no longer works with you, revoke their access immediately.

• Rotate API keys and tokens periodically. Avoid leaving them active forever.

• Train your support and help desk staff to recognize social engineering attempts.

• Limit admin privileges to only those who absolutely need it — and only for as long as they need it.

• Monitor SaaS identity behavior — both human and machine accounts — and flag anything unusual.

Cyber attackers are no longer kicking in the front door. They’re walking in through the side gate, wearing a uniform and holding a key you gave them two years ago.

If you're not keeping track of who has access to what, when, and how — you're already at risk.

Make identity a core part of your security strategy. Because in today’s world, your weakest point might not be a broken system — it might be a forgotten login.