Women’s online fashion retailer SHEIN has suffered a major security breach exposing the personal information and passwords of over six million customers.

The company said it discovered malicious hackers had compromised its network on August 22 this year. It added that between June and early August 2018 customer email addresses and “encrypted password credentials” had been stolen.
  • According to the company, malware had opened backdoors on corporate servers through which the attackers had stolen data associated with approximately 6.42 million customers. 
  • SHEIN operates across Europe, including the UK, Switzerland and Norway, as well as the US and Canada. The company didn’t say whether customers in any particular region or country have been affected or whether the hack affects customer details across all regions. 
  • In an act of saving grace the company said it does not typically store payment card information on its systems, and there is no evidence to suggest that customers’ credit card details have been stolen.
SHEIN says that it is contacting affected customers and advising that they change their passwords.
It is also offering a year’s worth of identity threat monitoring for “affected customers in certain markets.”
The company is telling users:
  • They can reset their password by clicking on a link in an email they are sending out. 
  • Or by manually visiting the SHEIN website, and after logging in, clicking the ‘Edit Password’ link under the ‘Account Setting’ page.

Security tips and insight

When these hacks take place, and what you don’t typically see, is a frenzy of sorts taking place in the dark web.
Cyber criminals trade the data and buyers concoct all sorts of scams in a bid to defraud those whose details have been stolen. 
  • A common tactic is to create phishing mails that purport to come from the affected company (in this case SHEIN) and send them out to the stolen email addresses. 
  • The emails attempt to lure the recipients into clicking on a link and enter private financial information such as payment card details into a fraudster controlled website. 
  • The emails tend to be sophisticated and at first glance they look like genuine emails in that they will contain exact replicas of company logos and mastheads.

With this in mind, rather than click on a link from a SHEIN email, it would be better to go to their website and change your password.

Password advice

If you are one of the unlucky customers who has had their email address and encrypted password stolen:
  • Keep in mind that if you use the same password across other websites and online services it’s a good idea to change these too. 
  • It’s an extremely common tactic by fraudsters to try out the stolen email addresses and passwords on other websites and online services. 
  • For instance, if a fraudster successfully uses the information to access an Amazon account, they can easily buy products using your payment card information if is held by Amazon. The same applies to other online services

Personal ID protection

You can protect your email addresses and passwords, even if they are hacked, with BullGuard Premium Protection.

It safeguards all your personal information by scanning the Internet, including the dark web, 24/7.
Find out more