1 August 2019

Group-IB’s commentary on Sephora customers’ data breach in Southeast Asia

Group-IB Threat Intelligence team has identified information connected to the incident, and it is our duty to the community to provide clarity to the breach, so that similar incidents can be prevented in the future.

Our cyber intelligence analysts, thanks to proprietary Darknet monitoring tools which allow to detect threats such as breaches, have discovered two databases with customer data on underground forums that are likely to be related to Sephora, multinational chain of personal care and beauty stores.

The first database was advertised on two Darknet forums on July 7 and 17 respectively. According to the seller, the database consists of 500,000 records including the usernames and hashed passwords from (Indonesia) and (Thailand). The listing’s author notes that the data comes from February 2019.

The second database, discovered by Group-IB Threat Intelligence team, surfaced on an underground forum on July 28, 2019, just one day before the news about Sephora customers’ data breach came out. As its name implies «Sephora 2019/03 — Shopping — [3.2 million]», the database contains 3.2 million records, and was leaked in March 2019.

Group-IB cyber intelligence team, using sockpuppets developed over decades and infiltrated sources in closed hacking communities, contacted the seller, who provided the sample of the data that is being sold. The examination of the sample revealed that the database contains the following information: login, encrypted password, date of registration and last activity, ip of registration, last ip, gender, name, surname, ethnicity, eye color, skin tone, skin type, hair color, hair concerns, makeup essentials, and skincare routines. The set of data is offered for sale at USD 1,900.

Even though the records do not include any payment information or decrypted passwords, such detailed information about the customers can be used to carry out social engineering or targeted phishing attacks that is why the scale of the breach shouldn’t be underestimated. As a precaution, we advise all customers who had accounts at Sephora to change their password, especially if they use the same login/password pair across multiple services, such as email and social media accounts, to avoid them being compromised.

Ilya Sachkov

Ilya Sachkov

CEO and Founder of Group-IB, Singapore-based Cybersecurity Company

Group-IB is one of the leading providers of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. Group-IB Threat Intelligence system was named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s 16 years of experience in cybercrime investigations all over the world and 55 000 hours of incident response accumulated in the largest forensic laboratory in Eastern Europe and a 24/7 CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE. Group-IB is a member of the World Economic Forum.

Report an incident

24/7 Incident Response Assistance +65 3159-4398

Thank you for the inquiry! We will contact you soon.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident