Bonobos Data Breach
Bonobos Men's Apparel Retailer Breach (2020): 15 Million Customer Records Including Partial Credit Card Data, Passwords & Purchase History Exposed
Men’s apparel retailer.
Risk Interpretation
Exposure enables phishing, order fraud, delivery impersonation, and customer-service scams. Purchase history may also reveal demographic and lifestyle signals that improve targeting.
Impact & Downstream Threats
In August 2020 an unauthorized party gained access to a Bonobos cloud backup file containing approximately 70GB of customer data. The exposed dataset included approximately 15.8 million records with email addresses, partial credit card data, names, IP addresses, phone numbers, physical addresses, purchase histories, and historical passwords. The data was subsequently posted publicly to a hacking forum. Bonobos was notified of the exposure by Troy Hunt of Have I Been Pwned and then confirmed the
- Credential stuffing against reused passwords across other platforms
- Financial fraud using exposed financial profile data
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
Threat Vectors
Breach Intelligence
Executive Summary
Bonobos, the American men's apparel retailer, suffered a data breach in August 2020 when an unauthorized party accessed a cloud backup file containing roughly 70GB of customer data. The breach stemmed from a misconfiguration that exposed the backup directly, without any need to bypass security controls. The stolen data was subsequently posted to a public hacking forum. In total, approximately 15.8 million records were compromised, affecting customers of the brand during its period of Walmart ownership. The exposed data included names, email addresses, physical addresses, IP addresses, phone numbers, and purchase histories. Passwords stored as salted SHA-512 hashes were also included, along with historical passwords from prior account activity. Partial credit card details were exposed as well, specifically card type, the name on the card, expiry date, and the last four digits. The inclusion of historical passwords is particularly notable: even where current passwords were changed, older passwords can reveal patterns in how a person constructs credentials, making other accounts easier to compromise. Purchase history adds another layer of risk by exposing personal habits and lifestyle details that can sharpen phishing and social engineering attempts. Bonobos was notified of the exposure by Troy Hunt of the breach notification service Have I Been Pwned, and the company confirmed the breach. No prominent regulatory action or settlement specific to this incident has been documented. Affected individuals remain at elevated risk of phishing, delivery impersonation scams, order fraud, and credential-stuffing attacks across other services where similar passwords may have been reused.
About Bonobos
Bonobos is an American men's apparel retailer founded in 2007 and known for its direct-to-consumer model and emphasis on fit. The brand was acquired by Walmart in 2017 for approximately $310 million as part of Walmart's push into premium e-commerce. In 2023 WHP Global acquired Bonobos from Walmart for approximately $75 million following a significant markdown of the original acquisition value. The brand operates online and through a network of guideshop showrooms.
Why They Hold Your Data
Direct-to-consumer apparel brands collect customer identity, contact details, addresses, order history, fitting or style records, and payment-adjacent data across e-commerce operations.
Recent Developments
Following the 2023 acquisition by WHP Global, Bonobos has operated with a reduced footprint. The brand's sale at a steep discount from Walmart's purchase price reflected broader struggles Walmart encountered with its premium direct-to-consumer acquisitions. WHP Global has focused on maintaining the brand's identity while managing its operational footprint.
Data Points Exposed
Exposure Categories
Canonical Fields
credit_card:partial, email_address, full_name, ip_address, password, password:historical, phone_number, physical_address, transaction_history:purchase
Dark Web Verification
- Dataset containing ~15.8M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: bonobos.com-2020;Bonobos Data Breach
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Bonobos
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam