SHEIN Data Breach Impacts Over 6.4 Million Customers

A massive data breach that has hit SHEIN, the international women’s apparel giant, has reportedly impacted over 6.4 million customers.

Threatpost reports, “Email addresses and encrypted passwords of over 6.4 million SHEIN customers were stolen over the summer after the women’s retailer said it suffered a “concerted criminal cyberattack” on its computer network.”

The data breach, which was discovered on August 22, had happened between June 2018 and August 2018. The attackers had reportedly stolen email login credentials of over 6.4 million customers. Investigations have also been initiated.

A statement issued by SHEIN notifies customers who might have been impacted. The statement reads, “On August 22, 2018, SHEIN became aware that certain personally identifiable information of its customers was stolen during a concerted criminal cyberattack on its computer network. Immediately upon becoming aware of this potential theft, SHEIN hired a leading international forensic cybersecurity firm as well as an international law firm to conduct a thorough investigation.”

The statement further says, “While the full extent of the attack will continue to be investigated, it can now be confirmed that the personal information illegally acquired by the intruders included email addresses and encrypted password credentials of customers who visited the company website. It is our understanding that the breach began in June 2018 and continued through early August 2018 and involves approximately 6.42 million customers. SHEIN may update this information at a later date based on any new findings.”

The company servers were all scanned and the malware also found, following which it was removed. The SHEIN statement has clarified that “back door” entry points to the server that were opened by the attackers have been closed and removed. The network is now being closely monitored and steps have been taken to prevent future breaches.

The investigation that’s in progress is trying to assess the extent of the breach. There’s reportedly no evidence proving that credit card data could also have been compromised. SHEIN reportedly does not store credit card data on its systems and hence there is no such risk. Meanwhile, the impacted customers are now being notified and asked to do the needful to secure their personal data.

The SHEIN statement says, “SHEIN is in the process of notifying the proper authorities and its customers who may have been affected. SHEIN is sending customer notices that provide instructions for resetting passwords through the website. The resetting of passwords will help ensure the security of the site and customer purchases.”

The statement concludes by saying, “At SHEIN, we value our customer’s safety and security above all else, and for this reason we are offering one year of identity theft monitoring to affected customers in certain markets. We will remain vigilant as we complete the investigation and implement new safeguards to prevent any future breaches.”

Hackers have been continuously targeting retailers all across the world, attacking them will all kinds of malware and stealing sensitive personal data of customers. We had recently reported the massive cyberattack targetting leading online electronics retailer Newegg Inc., which was executed by the Magecart group and which resulted in credit card data being stolen in large numbers.