Group-IB’s commentary on Sephora customers’ data breach in Southeast Asia

Group-IB Threat Intelligence team has identified information connected to the incident, and it is our duty to the community to provide clarity to the breach, so that similar incidents can be prevented in the future.

Our cyber intelligence analysts, thanks to proprietary Darknet monitoring tools which allow to detect threats such as breaches, have discovered two databases with customer data on underground forums that are likely to be related to Sephora, multinational chain of personal care and beauty stores.

The first database was advertised on two Darknet forums on July 7 and 17 respectively. According to the seller, the database consists of 500,000 records including the usernames and hashed passwords from Sephora.co.id (Indonesia) and Sephora.co.th (Thailand). The listing’s author notes that the data comes from February 2019.

The second database, discovered by Group-IB Threat Intelligence team, surfaced on an underground forum on July 28, 2019, just one day before the news about Sephora customers’ data breach came out. As its name implies «Sephora 2019/03 — Shopping — [3.2 million]», the database contains 3.2 million records, and was leaked in March 2019.

Group-IB cyber intelligence team, using sockpuppets developed over decades and infiltrated sources in closed hacking communities, contacted the seller, who provided the sample of the data that is being sold. The examination of the sample revealed that the database contains the following information: login, encrypted password, date of registration and last activity, ip of registration, last ip, gender, name, surname, ethnicity, eye color, skin tone, skin type, hair color, hair concerns, makeup essentials, and skincare routines. The set of data is offered for sale at USD 1,900.Even though the records do not include any payment information or decrypted passwords, such detailed information about the customers can be used to carry out social engineering or targeted phishing attacks that is why the scale of the breach shouldn’t be underestimated. As a precaution, we advise all customers who had accounts at Sephora to change their password, especially if they use the same login/password pair across multiple services, such as email and social media accounts, to avoid them being compromised.

Ilya Sachkov

CEO and Founder of Group-IB, Singapore-based Cybersecurity Company

About Group-IB

Established in 2003, Group-IB is a leading creator of predictive cybersecurity technologies to investigate, prevent, and fight digital crime globally. Headquartered in Singapore, and with Digital Crime Resistance Centers in the Americas, Europe, Middle East and Africa, Central Asia, and the Asia-Pacific, Group-IB delivers predictive, intelligence-driven defense by analysing and neutralizing regional and country-specific cyber threats via its Unified Risk Platform, offering unparalleled defense through its industry-leading Cyber Fraud Intelligence Platform, Cloud Security Posture Management, Threat Intelligence, Fraud Protection, Digital Risk Protection, Managed Extended Detection and Response (XDR), Business Email Protection, and External Attack Surface Management solutions, catering to government, retail, healthcare, gaming, financial sectors, and beyond. Group-IB collaborates with international law enforcement agencies like INTERPOL, Europol, and AFRIPOL to fortify cybersecurity worldwide, and has been awarded by advisory agencies including Datos Insights, Gartner, Forrester, Frost & Sullivan, and KuppingerCole.

For more information, visit us at www.group-ib.com or connect with us on LinkedIn, X, Facebook, and Instagram.

Discover our podcasts to hear from leading voices on Masked Actors and Fraud Intel, where top cybersecurity experts share real-world experiences, emerging trends, and practical insights to help you stay one step ahead in the fight against cyber crime.