US clothing retailer J.Crew says it was the victim of a credential stuffing attack around April 2019. Credentials stuffing is a type of attack where hackers use large collections of username/password combinations bought from underground markets and leaked after previous security breaches to gain access to user accounts on other online platforms. The attackers might have been able to access the account holders’ first and last names, their email address, and the 16-digit DD Perks account number and QR code. The company has disabled the accounts of all impacted customers and asks them to reset their passwords.
Source: https://www.bleepingcomputer.com/news/security/jcrew-disables-user-accounts-after-credential-stuffing-attack/