Women’s online fashion retailer SHEIN has been hit by malware that snagged 6.42m site visitors’ email addresses and encrypted passwords, the company has announced.
SHEIN said that it discovered the breach on 22 August, but that it actually started in June and continued through early August. Those details may change as the investigation continues: the retailer says it hired a leading international forensic cybersecurity firm and an international law firm to conduct a thorough investigation.
The company didn’t specify what malware it found on its servers; just that it’s scrubbed it off and has closed and closed the backdoors that the attackers opened.
In a data security FAQ, SHEIN said that it hasn’t seen any evidence pointing to theft of credit card data. It typically doesn’t store such information on its servers, SHEIN said. But if anybody does see suspicious activity on their payment cards, SHEIN is urging them to contact their bank or credit card company about it.
The site is now safe to visit, the retailer says. It’s asking customers to reset their passwords by clicking on an email notification it sent or by logging into their accounts and clicking the “Edit Password” link under the “Account Setting” page. SHEIN concludes:
After completing the password reset process, customers should feel safe and confident about making purchases.
Do be careful about clicking on links in emails, though: it would be all too easy for crooks to send boobytrapped emails spoofed to look like they came from SHEIN but actually rigged with malicious links. It’s a safer bet to navigate to the site and change your account password there.
SHEIN says it’s beefing up security measures, per investigators’ recommendation. It’s also offering one year of identity protection to customers in some of its markets.
What to do?
- If you’re one of the 6.42m SHEIN customers whose personal details were stolen, you should have received an email telling you to change your account password.
- If you haven’t been contacted, it’s still a good opportunity to ask yourself whether your SHEIN password is strong enough. Change it if you have any doubt about it or if you’ve committed the cardinal password sin of reusing passwords on multiple sites. Because yes, password reuse is truly a bad idea.
- Keep an eye on your bank and payment card statements, and take SHEIN’s advice to contact your card issuer if you see anything fishy.
- Be particularly vigilant about phishing email. The crooks got at a crazy huge dump of email addresses, and phishing or spam could well be the result. If someone contacts you “about the breach”, never call or message them back based on contact information they gave to you – always find an independent source for the relevant phone number or email address, such as a printed receipt.
- Cast a hairy eyeball on any emails, instant messages or phone calls that claim to be connected to this incident – they could be coming from fraudsters looking to cash in on the big breach.