Sephora, the famous make-up store and online marketplace among make-up and beauty enthusiasts, was hit by a data breach that affected its customers from Southeast Asia, New Zealand, and Australia.
The company has emailed their affected customers regarding the intrusion that supposedly happened over the last two weeks. The said breach has exposed user details from the store’s online marketplace, which includes their first and last name, date of birth, gender, email address, encrypted password, as well as, data related to beauty preferences.
Sephora is a Paris–based French multinational chain of personal care and beauty stores founded in Limoges in 1969. The company hosts nearly 300 brands, along with its private label. Sephora offers beauty products, including cosmetics, skincare, body, fragrance, nail color, beauty tools, and haircare.
Back in 2017, Sephora redefined cosmetic shopping when it launched its mobile app and online operations called Sephora Go. Back in 1999 and 2003, Sephora launched its first online operations through sephora.com in the United States and Canada, respectively.
“Obsessed with teaching and inspiring clients to play in a world of beauty, Sephora has pioneered the use of mobile in beauty, creating groundbreaking content on its intuitive Sephora app and on social media to bring Sephora’s expertise to our clients whenever and wherever they want,” read’s the company website.
In the email sent by Sephora to customers, Sephora SEA managing director Alia Gogi assured users that their security and privacy is the priority of the cosmetics company.
“We understand how important your personal information is and value the trust you place in us to protect it,” she said in the email.
Gogi disclosed to users that the data breach has affected “some users” from different countries in Southeast Asia, Australia, and New Zealand. However, she did not disclose or offer any further information regarding how many customers were affected by the breach.
“Over the last two weeks, we discovered a breach in data related to some customers who have used our online services in Singapore, Malaysia, Indonesia, Thailand, Philippines, Hong Kong SAR, Australia, and New Zealand.”
Sephora, through the email penned by Gogi, said that the personal data of their online users might have been disclosed to an unauthorized third party.
Luckily, the company assured users that no credit card information was disclosed or accessed by the intruders, and continued the email saying that experts and the company have enough reason to believe that the data extracted from their servers were not used by hackers for illegal activities.
“Please be reassured that no credit card information was accessed, and we have no reason to believe that any personal data has been misused,” Gogi added in the email.
The company said that as soon as they became aware of the data breach, they have immediately contacted authorities to investigate according to different data privacy laws and informed their customers about what happened.
As part of the breach mitigation efforts, Sephora proactively deactivated user passwords and asked them to reset them to contain the impacts of the breach. They also have made a thorough investigation of their systems.
Furthermore, Sephora is also offering the affected users with third-party monitoring to make sure that their data would not be used illegally by those who gained unauthorized access to it.
“We are also offering a personal data monitoring service, at no cost to you, through a leading third-party provider,” she added.
Sephora advised users to follow a few steps to take in order to protect themselves from malicious actors. For those who have not yet changed their Sephora passwords, the company urged users to change them as soon as possible.
Users are also encouraged to register to the third-party monitoring service by following the instructions at the providers’ website on or before November 30 to avail the free monitoring service offered by Sephora.
The company confirmed that none of its physical stores were affected by the data breach, and the intrusion only targeted their online databases from a specific location.
“The security incident was limited to a database serving our Southeast Asia, Hong Kong SAR, and Australia/New Zealand customers who used our online service,” the company assured, adding that users can once again use their online and app services securely as they have already secured their servers.