Group-IB’s commentary on Sephora customers’ data breach in Southeast Asia

Group-IB Threat Intelligence team has identified information connected to the incident, and it is our duty to the community to provide clarity to the breach, so that similar incidents can be prevented in the future.

Our cyber intelligence analysts, thanks to proprietary Darknet monitoring tools which allow to detect threats such as breaches, have discovered two databases with customer data on underground forums that are likely to be related to Sephora, multinational chain of personal care and beauty stores.

The first database was advertised on two Darknet forums on July 7 and 17 respectively. According to the seller, the database consists of 500,000 records including the usernames and hashed passwords from Sephora.co.id (Indonesia) and Sephora.co.th (Thailand). The listing’s author notes that the data comes from February 2019.

The second database, discovered by Group-IB Threat Intelligence team, surfaced on an underground forum on July 28, 2019, just one day before the news about Sephora customers’ data breach came out. As its name implies «Sephora 2019/03 — Shopping — [3.2 million]», the database contains 3.2 million records, and was leaked in March 2019.

Group-IB cyber intelligence team, using sockpuppets developed over decades and infiltrated sources in closed hacking communities, contacted the seller, who provided the sample of the data that is being sold. The examination of the sample revealed that the database contains the following information: login, encrypted password, date of registration and last activity, ip of registration, last ip, gender, name, surname, ethnicity, eye color, skin tone, skin type, hair color, hair concerns, makeup essentials, and skincare routines. The set of data is offered for sale at USD 1,900.Even though the records do not include any payment information or decrypted passwords, such detailed information about the customers can be used to carry out social engineering or targeted phishing attacks that is why the scale of the breach shouldn’t be underestimated. As a precaution, we advise all customers who had accounts at Sephora to change their password, especially if they use the same login/password pair across multiple services, such as email and social media accounts, to avoid them being compromised.

Ilya Sachkov

CEO and Founder of Group-IB, Singapore-based Cybersecurity Company

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.