SINGAPORE: About 3.7 million customer records “likely to be related” to the Sephora data breach are on sale on the Dark Web, according to one cybersecurity vendor.
Singapore-headquartered company Group-IB said in a news release on Thursday (Aug 1) its threat intelligence team found two databases with customer data on underground forums, with the leak dating back to as early as February this year.
CEO Ilya Sachkov said in the release that the first database was advertised on two underground forums on Jul 7 and Jul 17, respectively. According to the seller, the database consists of 500,000 records including the user names and hashed passwords from Sephora’s Indonesia and Thailand websites.
The listing said the data was from February this year, he added.
The second database surfaced on an underground forum on Jul 28 this year, a day before news of the breach broke. The database name - “Sephora 2019/03 – Shopping - [3.2 million]” – contained 3.2 million records and was leaked in March this year, the company said.
The CEO said his team used its proprietary tools to “infiltrate sources in closed hacking communities” to contact the seller, who then provided the sample of the data being sold.
The sample showed the databases contains login, encrypted password, date of registration and last activity, IP of registration, last IP, gender, name, surname, ethnicity, eye color, skin tone, skin type, hair color, hair concerns, makeup essentials, and skincare routines, he said, adding the set of data was being sold for US$1,900 (S$2,613).
“Even though the records do not include any payment information or decrypted passwords, such detailed information about the customers can be used to carry out social engineering or targeted phishing attacks. That is why the scale of the breach shouldn’t be underestimated,” Mr Sachkov said.
CNA has contacted Sephora for its comments on Group-IB's findings.
The international beauty retailer said on Monday personal details of Sephora’s online customers in Singapore, Malaysia, Indonesia, Thailand, the Philippines, Hong Kong, Australia and New Zealand have been leaked but did not disclose the number of affected customers.
It added that no credit card information was accessed and it has no reason to believe that any personal data has been misused. It also contracted external experts, who concluded that there was no major vulnerability found on Sephora’s Southeast Asia websites and found no trace of a cyberattack.
However, these statements drew criticism from another cybersecurity vendor. Mr Nabil Hannan, managing principal at Synopsys Software Integrity Group, questioned Sephora’s claim that it found no reason any personal data has been misused.
“This is very hard to claim given they have made a statement that user data has been breached, including things like first and last name, date of birth and gender,” Mr Hannan said. “It’s not possible to determine how this data may have been misused after the breach.”
He also pointed out that while no major vulnerability was found, this may not be required for a breach to happen.
“Organisations also need to consider that potential malicious insider threats may exist,” Mr Hannan said. “For example, when looking at where the database was breached, it’s important to understand the threat model of the system, and determine things like who had access to the database and if they really needed to have access.”
The Personal Data Protection Commission of Singapore (PDPC) said it has been notified by Sephora Digital SEA of the incident and is “looking into it”.