Full Report
In June 2022, the Japanese record chain store Disk Union suffered a data breach. The incident exposed 690k unique email addresses along with names, post codes, phone numbers and plain text passwords.
Analysis Summary
# Incident Report: Disk Union Data Breach (June 2022)
## Executive Summary
In June 2022, Japanese record chain store Disk Union suffered a data breach resulting in the exposure of nearly 700,000 user records. The exposed data included email addresses, names, phone numbers, post codes, and crucially, passwords stored in plain text. The immediate response focused on user remediation actions such as changing passwords and enabling 2FA.
## Incident Details
- Discovery Date: Information publicly surfaced/added to HIBP on 7 Jun 2025 (Note: This date likely refers to the date the breach knowledge was widely published or indexed by HIBP, not necessarily the breach discovery date itself).
- Incident Date: June 2022
- Affected Organization: Disk Union
- Sector: Retail (Record Chain Store)
- Geography: Japan
## Timeline of Events
### Initial Access
- Date/Time: June 2022 (Approximate)
- Vector: Not explicitly detailed in the source.
- Details: Attackers gained access leading to the exfiltration of user data.
### Lateral Movement
- No specific details provided regarding internal lateral movement.
### Data Exfiltration/Impact
- Compromised Data: 690,700 unique user records, including email addresses, geographic locations (post codes), names, phone numbers, usernames, and **plain text passwords**.
### Detection & Response
- Detection: Breach was publicly acknowledged or indexed by Have I Been Pwned (HIBP) on 7 Jun 2025, indicating retrospective disclosure or discovery.
- Response actions taken: Recommendations were made to affected users to change affected passwords immediately and enable Two-Factor Authentication (2FA).
## Attack Methodology
- Initial Access: Unknown
- Persistence: Unknown
- Privilege Escalation: Unknown
- Defense Evasion: Unknown
- Credential Access: Implied access to a database containing credentials.
- Discovery: Unknown
- Lateral Movement: Unknown
- Collection: Gathering of user PII and credential data.
- Exfiltration: Data stolen and subsequently indexed by HIBP.
- Impact: Broad exposure of sensitive personal identifiable information (PII) and plaintext credentials.
## Impact Assessment
- Financial: Not estimated in the provided text.
- Data Breach: Approximately 690.7 thousand user records exposed. Data included PII (names, phone numbers, post codes) and plaintext passwords.
- Operational: No information provided on operational disruption.
- Reputational: Negative impact due to the exposure of plain text passwords.
## Indicators of Compromise
- Network indicators: None provided (defanged).
- File indicators: None provided.
- Behavioral indicators: None provided.
## Response Actions
- Containment: Not specified.
- Eradication: Not specified.
- Recovery actions: Recommendations focused on user recovery:
1. Change password immediately if it was used on Disk Union since 2022.
2. Enable Two-Factor Authentication (2FA).
## Lessons Learned
- The storage of plaintext passwords represents a critical security failure, significantly amplifying the impact of any breach involving credentials.
- Data retention policies should be reviewed to minimize the amount of sensitive PII held on users.
## Recommendations
- Immediately implement strong cryptographic hashing and salting for all stored passwords (e.g., Argon2, bcrypt).
- Mandate or strongly encourage the use of Two-Factor Authentication (2FA) for all user accounts.
- Conduct a comprehensive audit of security configurations, access controls, and patch management processes to determine the initial point of compromise.