It was discovered very recently by the cybersecurity firm called Group-IB that personal information was being sold on Darkweb, the dark side of the Internet, a popular place for hackers.
This personal information belonged to the clients of the firm Sephora. About 3.7 million people were affected by this personal data receipt.
This article may also be of interest to you: Epitech is getting hacked
According to the Singapore-based it security firm, the sale began between July 7 and July 17 this year. As for the leak, it would go back since February of this year. The first stolen database that was for sale would contain approximately five hundred thousand (500,000) personal references and login credentials (passwords, names, usernames, etc.). All of its references concern clients who routinely visit the Sites, Indonesian and Thai sephora.
The second database began circulating around July 28 of this year. According to the cybersecurity firm, it contains 3.2 million personal references and was referred to as "Sephora 2019/03 – Shopping. ». Its leak dates from March of this year.
Group-IB claims it had to use an undercover strategy to be able to access the platform for the sale of stolen data. Platform that is reserved for a very closed group of hackers. The company claims to have had access to samples of the data marketed fraudulently. In this regard, the information is very much about individuals, their personal and even physical characteristics. Indeed, the firm's experts say they have seen data such as the names and surnames of several people, login credentials (usernames, passwords, etc.), IP addresses, login data, ethnicity, hair color, gender, etc. In addition, references from Sephora customers such as eye, skin or toiletry habits were also available. In short, it was a treasure trove of personal information. This makes it easier to impersonate or other online scams. And most shockingly, all the information sold with its precise details costs only 1900 U.S. dollars equivalent to 1700 euros.
The computer security company after its discovery informed the Séphora brand in an official press release, which officially informed all its customers and the media that the personal data relating to its customers had indeed been stolen and put up for sale. The affected customers were users of its online customers from Malaysia, Indonesia, Thailand, Singapore, Philippines, New Zealand, Australia and Hong Kong.
This receipt of personal data seems to to the delight of some that they have not reached the European clientele of the French brand. Avoiding the brand with a hefty fine by the authorities digital regulation.
Séphora, for its part, reassures that no information relating to bank identifiers has been stolen and sold. The company says there is no evidence that the stolen information has already been exploited. In addition, security experts were contacted and after analysis concluded that no major flaws were the cause of the leak. And strangely no hacker attacks were discovered. As a result, it is believed that the data surely leaked from a corrupt employee or bad intentions. Singapore's personal data protection authority, the Personal Data Protection Commission of Singapore, said it was opening an investigation into the matter.
Now access an unlimited number of passwords: