Group-IB Threat Intelligence team has identified information connected to the incident, and it is our duty to the community to provide clarity to the breach, so that similar incidents can be prevented in the future.
Our cyber intelligence analysts, thanks to proprietary Darknet monitoring tools which allow to detect threats such as breaches, have discovered two databases with customer data on underground forums that are likely to be related to Sephora, multinational chain of personal care and beauty stores.
The first database was advertised on two Darknet forums on July 7 and 17 respectively. According to the seller, the database consists of 500,000 records including the usernames and hashed passwords from Sephora.co.id (Indonesia) and Sephora.co.th (Thailand). The listing’s author notes that the data comes from February 2019.
Even though the records do not include any payment information or decrypted passwords, such detailed information about the customers can be used to carry out social engineering or targeted phishing attacks that is why the scale of the breach shouldn’t be underestimated. As a precaution, we advise all customers who had accounts at Sephora to change their password, especially if they use the same login/password pair across multiple services, such as email and social media accounts, to avoid them being compromised.

Ilya Sachkov
CEO and Founder of Group-IB, Singapore-based Cybersecurity Company