1 August 2019

Group-IB’s commentary on Sephora customers’ data breach in Southeast Asia

Group-IB Threat Intelligence team has identified information connected to the incident, and it is our duty to the community to provide clarity to the breach, so that similar incidents can be prevented in the future.

Our cyber intelligence analysts, thanks to proprietary Darknet monitoring tools which allow to detect threats such as breaches, have discovered two databases with customer data on underground forums that are likely to be related to Sephora, multinational chain of personal care and beauty stores.

The first database was advertised on two Darknet forums on July 7 and 17 respectively. According to the seller, the database consists of 500,000 records including the usernames and hashed passwords from Sephora.co.id (Indonesia) and Sephora.co.th (Thailand). The listing’s author notes that the data comes from February 2019.

The second database, discovered by Group-IB Threat Intelligence team, surfaced on an underground forum on July 28, 2019, just one day before the news about Sephora customers’ data breach came out. As its name implies «Sephora 2019/03 — Shopping — [3.2 million]», the database contains 3.2 million records, and was leaked in March 2019.

Group-IB cyber intelligence team, using sockpuppets developed over decades and infiltrated sources in closed hacking communities, contacted the seller, who provided the sample of the data that is being sold. The examination of the sample revealed that the database contains the following information: login, encrypted password, date of registration and last activity, ip of registration, last ip, gender, name, surname, ethnicity, eye color, skin tone, skin type, hair color, hair concerns, makeup essentials, and skincare routines. The set of data is offered for sale at USD 1,900.

Even though the records do not include any payment information or decrypted passwords, such detailed information about the customers can be used to carry out social engineering or targeted phishing attacks that is why the scale of the breach shouldn’t be underestimated. As a precaution, we advise all customers who had accounts at Sephora to change their password, especially if they use the same login/password pair across multiple services, such as email and social media accounts, to avoid them being compromised.

Ilya Sachkov

Ilya Sachkov

CEO and Founder of Group-IB, Singapore-based Cybersecurity Company

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident