How Stolen Passwords Crippled a Japanese Retail Giant
How criminals used leaked credentials to infiltrate Askul, steal 1.1 terabytes of data and disrupt Japan’s retail supply chain. Updated with modern MFA and passkey guidance.
Why it matters
Cyber criminals did not need to smash the doors down. They simply walked in using real employee passwords that had been stolen years earlier. This single weakness brought one of Japan’s biggest e-commerce and logistics companies to a halt and caused ripple effects across the country’s retail sector.
In late October 2025, Japanese retailer Askul Corporation became the latest victim of a new breed of cyber attack that avoids the traditional ransomware playbook. There was no encryption. No locked screens. No flashing skulls. Instead, the attackers quietly stole over a terabyte of sensitive data from inside Askul’s warehouse and order systems, then threatened to release it publicly unless paid.
This technique is known as data extortion. If ransomware is a burglar smashing your windows and demanding money, data extortion is a thief copying your house keys and entering whenever you are not looking.
Askul operates several major online platforms and supports millions of customers and business partners. When the attack unfolded, the shockwaves hit Japan’s retail sector almost instantly.
The incident: What happened inside Askul
On 19 October 2025, Askul detected unusual activity inside its warehouse management and order processing systems. These systems are the beating heart of a logistics business. They track orders, coordinate stock, move goods through warehouses and handle dispatch. To stop the attack spreading, Askul shut down parts of its infrastructure, which meant online orders and shipments had to pause.
On 30 October, a cyber criminal group called RansomHouse claimed responsibility. They boasted on the dark web that they had stolen 1.1 terabytes of data. Two days later, Askul confirmed the breach.
Attribution: Who attacked Askul
Askul’s investigators and external analysts confirmed that RansomHouse carried out the operation. The group has a track record of similar attacks against global retailers, manufacturers and logistics firms.
RansomHouse, a Russia-linked criminal group, are not a hacker breakaway or hobbyist group. They are organised, financially motivated criminals who specialise in stealing large amounts of data and threatening to leak it to embarrass companies, damage relationships and force payment. Unlike traditional ransomware gangs, they skip the encryption stage entirely. That makes them faster and harder to detect.
The attack vector: How they got in
RansomHouse did not exploit a technical vulnerability or break through a firewall. Instead, they used something far more mundane and far more dangerous: old employee credentials.
Think of leaked credentials as lost keys. If you drop a keyring and never change your locks, anyone who finds the keys can stroll in whenever they like.
Investigators found that Askul’s VPN credentials had appeared in underground marketplaces for years. These markets are fuelled by infostealer malware such as RedLine, LummaC and Arkei, which infect personal devices, scrape passwords and then sell them to criminals.
Once inside Askul’s systems, the attackers:
Used remote access tools such as TeamViewer to remain hidden
Explored databases and supplier records over an extended period
Behaved like legitimate users to avoid alarms
Selected specific high-impact data to steal, focusing on customer and supplier information
Because the attackers did not encrypt anything, they moved around quietly and avoided notice for weeks.
Impact: How the attack hit Askul and Japan’s retail sector
The consequences were immediate and nationwide.
Over 1.1 terabytes of data stolen, including customer names, contact details, purchase history and supplier information
No credit card data taken, preventing a larger consumer protection crisis
Three major retail platforms halted: Askul, Lohaco and Soloel Arena
Cascading supply chain disruption affecting major Japanese retailers such as Muji and The Loft, which had to suspend online operations
Estimated ¥10 billion in financial losses and a 15 percent drop in Askul’s share price
More than ten days of disruption before partial recovery
For a logistics company, losing warehouse and order management systems is like a supermarket losing electricity. Everything stops instantly.
Data extortion attacks hit companies in the areas they fear most: reputation, consumer trust and supplier relationships.
Why this incident matters for society
When a major online retailer goes down, it is not just a business story. It affects millions of people.
Small businesses relying on Askul for supplies could not receive goods
Retailers lost sales during peak periods
Consumers faced delays and uncertainty
Sensitive personal information may circulate online for years
Incidents like this show how tightly connected modern supply chains are. One compromised password at a single organisation can trigger a nationwide economic shock.
How Askul responded
Askul’s response was fast and extensive.
Disconnected critical systems to prevent further damage
Mobilised more than 100 engineers and 30 external specialists from LY Corporation and S and J
Involved Japanese authorities and international law enforcement
Notified affected customers and partners
Began a full infrastructure audit and enterprise-wide credential reset
Their quick action limited the damage, but the investigation continues.
The bigger lesson: Passwords alone are obsolete
The Askul breach highlights a simple truth: attacks succeed not because criminals are sophisticated but because companies still depend on passwords as the main line of defence.
A password is a house key that can be copied, stolen or sold. Once it leaks, it is no longer protection. Even changing it is not enough if criminals already have ways to reuse or bypass it.
Modern defence is about making the stolen key worthless. This is where multi-factor authentication (MFA) and passkeys change the game.
What businesses should learn
For non-technical readers, here is the simplest way to understand the solution.
If you rely on passwords alone, you are holding your front door shut with a single latch. MFA adds a second lock. Passkeys remove the key entirely.
• Multi-factor authentication (MFA) requires two forms of verification. Something you know, like a password, plus something you have, like your phone. Even if criminals have the password, they cannot complete the second step.
• Passkeys replace passwords with cryptographic keys stored on your device. They cannot be guessed, reused or stolen from a database. They are more like a car that only starts when the driver’s fingerprint is present.
These approaches convert leaked passwords from a crisis into an irrelevance.
What to do next
For organisations:
Implement MFA on every sensitive system including VPNs and remote access
Introduce passkey authentication to eliminate password theft risk
Block outdated remote access tools that attackers often misuse
Monitor for leaked credentials on criminal marketplaces
Assess supply chain partners for similar weaknesses
For individuals:
Turn on MFA wherever it is offered
Begin adopting passkeys when banks, retailers or email providers support them
Use a password manager for accounts that have not yet upgraded
Love this perspective. Your thief-with-keys analogy is spot on for data extortion. It's wild how often the weakest link is just... forgotten credentials. Seems like some companies really needs to audit their old access points more often. Great read!