Bonobos 2020 Data Breach

Bonobos Men's Apparel Retailer Breach (2020): 15 Million Customer Records Including Partial Credit Card Data, Passwords & Purchase History Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

MisconfigurationRetailCredit CardEmail AddressFull NameIP AddressPasswordPhone NumberPhysical AddressTransaction History
Moderate SeverityWebsite / service breach

Bonobos Men's Apparel Retailer Breach (2020): 15 Million Customer Records Including Partial Credit Card Data, Passwords & Purchase History Exposed

Men’s apparel retailer.

Verified by ObscureIQ Intelligence
54/100Breach Risk Index
20Data Value
25Market Recency
512dSince Breach

Breach Intelligence Summary

Entity: Bonobos · Actor: Unknown · Sources: 7 references
Attack: Misconfiguration
Profile: Company · Apparel retail · Direct-to-consumer fashion brand · USA
Timeline: Breach (2020-08-14) · Indexed (Dec 01, 2024) · Year (2020)
Exposure: 15.8M records · 8 fields: Credit Card, Email Address, Full Name, IP Address, Password, Phone Number, Physical Address, Transaction History
Status: Confirmed

Executive Summary

Bonobos, the American men's apparel retailer, suffered a data breach in August 2020 when an unauthorized party accessed a cloud backup file containing roughly 70GB of customer data. The breach stemmed from a misconfiguration that exposed the backup directly, without any need to bypass security controls. The stolen data was subsequently posted to a public hacking forum. In total, approximately 15.8 million records were compromised, affecting customers of the brand during its period of Walmart ownership. The exposed data included names, email addresses, physical addresses, IP addresses, phone numbers, and purchase histories. Passwords stored as salted SHA-512 hashes were also included, along with historical passwords from prior account activity. Partial credit card details were exposed as well, specifically card type, the name on the card, expiry date, and the last four digits. The inclusion of historical passwords is particularly notable: even where current passwords were changed, older passwords can reveal patterns in how a person constructs credentials, making other accounts easier to compromise. Purchase history adds another layer of risk by exposing personal habits and lifestyle details that can sharpen phishing and social engineering attempts. Bonobos was notified of the exposure by Troy Hunt of the breach notification service Have I Been Pwned, and the company confirmed the breach. No prominent regulatory action or settlement specific to this incident has been documented. Affected individuals remain at elevated risk of phishing, delivery impersonation scams, order fraud, and credential-stuffing attacks across other services where similar passwords may have been reused.

ObscureIQ assessment: Exposure enables phishing, order fraud, delivery impersonation, and customer-service scams. Purchase history may also reveal demographic and lifestyle signals that improve targeting.

Breach Impact

In August 2020 an unauthorized party gained access to a Bonobos cloud backup file containing approximately 70GB of customer data. The exposed dataset included approximately 15.8 million records with email addresses, partial credit card data, names, IP addresses, phone numbers, physical addresses, purchase histories, and historical passwords. The data was subsequently posted publicly to a hacking forum. Bonobos was notified of the exposure by Troy Hunt of Have I Been Pwned and then confirmed the breach. No settlement or regulatory action specific to this incident has been prominently documented. The breach occurred under Walmart's ownership.

About Bonobos

Bonobos is an American men's apparel retailer founded in 2007 and known for its direct-to-consumer model and emphasis on fit. The brand was acquired by Walmart in 2017 for approximately $310 million as part of Walmart's push into premium e-commerce. In 2023 WHP Global acquired Bonobos from Walmart for approximately $75 million following a significant markdown of the original acquisition value. The brand operates online and through a network of guideshop showrooms.

Why They Hold Your Data

Direct-to-consumer apparel brands collect customer identity, contact details, addresses, order history, fitting or style records, and payment-adjacent data across e-commerce operations.

Recent Developments

Following the 2023 acquisition by WHP Global, Bonobos has operated with a reduced footprint. The brand's sale at a steep discount from Walmart's purchase price reflected broader struggles Walmart encountered with its premium direct-to-consumer acquisitions. WHP Global has focused on maintaining the brand's identity while managing its operational footprint.

Data Points Exposed

8 verified field types
Credit Card Critical
Email Address
Full Name High
IP Address
Password Critical
Phone Number
Physical Address High
Transaction History High

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Financial fraud using exposed financial profile data
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Card-present & card-not-present fraud
  • Card identification & social engineering
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Geolocation & account flagging
  • Credential stuffing & account takeover
  • Credential stuffing with pattern analysis
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Lifestyle profiling & targeted fraud

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Bonobos breach?

Bonobos, the American men's apparel retailer, suffered a data breach in August 2020 when an unauthorized party accessed a cloud backup file containing roughly 70GB of customer data. The breach stemmed from a misconfiguration that exposed the backup directly, without any need to bypass security…

What data was exposed?

Verified fields include Credit Card, Email Address, Full Name, IP Address, Password, Phone Number, Physical Address, Transaction History.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
Keeper
Independent catalogue listing
Cross-source
leakfind
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation