weerapat1003 - stock.adobe.com

Leaked Sephora databases peddled on dark web

Cyber security firm finds two databases likely to be related to the Sephora data breach that affected online customers in Southeast Asia, Australia and New Zealand

Singapore-based cyber security firm Group-IB has discovered two databases with customer data on the dark web that are likely to be related to the data breach that hit Sephora, a multinational chain of personal care and beauty stores.

Earlier this week, Sephora informed more than three million online customers in Southeast Asia, Hong Kong, Australia and New Zealand that their personal information “may have been exposed to unauthorised third parties, including first and last name, date of birth, gender, email address and encrypted password, as well as data related to beauty preferences”.

In a statement today, Group-IB said its threat intelligence team had “identified information connected to this incident, and it is our duty to the community to provide clarity to the breach, so that similar incidents can be prevented in the future”.

Group-IB discovered the compromised databases using its proprietary dark web monitoring tools.

The first database was advertised on two dark web forums on 6 and 17 July, respectively. According to the seller, the database comprised 500,000 records including usernames and hashed passwords from Sephora.co.id (Indonesia) and Sephora.co.th (Thailand). The listing’s author noted that the data was from February 2019.

The second database surfaced on an underground forum on 28 July, one day before reports about the Sephora breach surfaced. As its name, “Sephora 2019/03 – Shopping - [3.2 million]”, implies, the database contains 3.2 million records, and was leaked in March 2019.

The Group-IB cyber intelligence team, using its own tools developed over decades, infiltrated sources in closed hacking communities and contacted the seller, who subsequently provided a sample of the data that was being sold.

On examining the data sample, Group-IB analysts found the database contained login information, encrypted passwords, date of registration and last activity, IP address of last activity and names, as well as personal details including hair and eye colour. This dataset was offered for sale at US$1,900.

Read more about cyber security in APAC

Group-IB said that even though the records did not include payment information or decrypted passwords, such details about customers can be used to carry out social engineering or targeted phishing attacks.

“That is why the scale of the breach should not be underestimated,” it added. “As a precaution, we advise all customers who had accounts at Sephora to change their password, especially if they use the same login/password pair across multiple services, such as email and social media accounts, to avoid them being compromised.”

Sanjay Aurora, managing director of Darktrace in Asia-Pacific, said the latest data breach demonstrates that no system – even those belonging to a well-established global brand – is immune to vulnerabilities.

“Online platforms are ultimately just lines of code,” Aurora said. “One seemingly small mistake in these lines of ones and zeros can cause a wide range of unintended business risks to emerge. As retailers rapidly transition to online platforms and apps in lieu of brick and mortar stores, confronting the challenge of cyber security in the digital age will be just as critical as the physical CCTV cameras monitoring for shoplifters.

“But unlike traditional thieves, cyber criminals attack at any time of day or night, steal far more than just goods, and throughout it all, remain entirely anonymous. For this reason, new technologies, such as the ones leveraging AI [artificial intelligence], will become a crucial ally for retailers – enabling them to not only safeguard against advanced attackers but also to stop simple software vulnerabilities from escalating into damaging breaches.”

Read more on Data breach incident management and recovery