After Zoetop discovered user logins from the 2018 attack on the dark web, Romwe customers were alerted of a data breach two years later. When Zoetop eventually reset passwords for all Romwe clients in December 2020, the inquiry discovered that it informed consumers that their passwords had expired after a year of not being updated. The notice was changed the following February with one that simply read, “We identified suspicious behavior, please verify your identity in order to reinstate your account.” The OAG investigation also found that at the time of the incident, Zoetop “failed to maintain acceptable security measures,” such as utilizing insufficient password management methods and failing to monitor for security risks or have a thorough strategy in place in event of a cyberattack.
