Details about Sephora’s data breach

Image by Sephora.

Updated on 1 August with technical details of the breach from cybersecurity company Group-IB.

French multinational beauty product retailer Sephora has made an announcement in an email sent to customers that it has discovered a data breach over the last two weeks. The breach “may have exposed some personal information to unauthorized third parties, including first and last name, date of birth, gender, email address and encrypted password, as well as data related to beauty preferences,” said the statement.

In a statement released to the media, Ilya Sachkov, CEO and Founder of cybersecurity company Group-IB, said that his company’s threat intelligence team “has identified information connected to this incident, and it is our duty to the community to provide clarity to the breach, so that similar incidents can be prevented in the future.”

Two databases leaked

Sachkov said that Group-IB’s proprietary Darknet monitoring tools, which detect threats such as breaches, had discovered two databases with customer data on underground forums that are likely to be related to Sephora.

“The first database was advertised on two Darknet forums on July 6 and 17 respectively. According to the seller, the database consists of 500,000 records including the usernames and hashed passwords from (Indonesia) and (Thailand). The listing’s author notes that the data comes from February 2019,” said Sachkov.

“The second database, discovered by Group-IB Threat Intelligence team, surfaced on an underground forum on July 28, 2019, just one day before the news about Sephora customers’ data breach came out. As its name implies Sephora 2019/03 – Shopping – [3.2 million], the database contains 3.2 million records, and was leaked in March 2019. Group-IB cyber intelligence team, using own tools developed over decades and infiltrated sources in closed hacking communities, contacted the seller, who provided the sample of the data that is being sold.”

Customer details

The examination of the sample by Group-IB team revealed that the database contains the following information: login, encrypted password, date of registration and last activity, ip of registration, last ip, gender, name, surname, ethnicity, eye color, skin tone, skin type, hair color, hair concerns, makeup essentials, and skincare routines. The set of data was offered for sale at USD 1,900. 

Sephora said that the breach was limited to e-commerce customer information stored in its database serving the Southeast Asia, Hong Kong, and ANZ region. It also further stated that no credit card details have been leaked, and recommended that customers change their passwords and use the Experian IdentityWorks service to monitor their personal data. Sephora has cancelled all existing passwords for customer accounts as a precautionary measure.

Precautions and future steps

Sachkov said, “Even though the records do not include any payment information or decrypted passwords, such detailed information about the customers can be used to carry out social engineering or targeted phishing attacks that is why the scale of the breach shouldn’t be underestimated. As a precaution, we advise all customers who had accounts at Sephora to change their password, especially if they use the same login/password pair across multiple services, such as email and social media accounts, to avoid them being compromised.”

In an FAQ posted on the website, Sephora said that it is “monitoring its systems closely” and has not detected any suspicious activity. On discovering the breach, Sephora “immediately appointed independent experts” to investigate the incident, and after verifying the details, contacted its customers. It stated that while no personal information of customers has so far been misused, the probe into the extent of the breach is ongoing.

It indicated that the physical stores have not been affected and “it is safe to make purchases on the Sephora website or via the mobile app.”