Malware on SHEIN Servers Compromises Data of 6.4M Customers

Email addresses and encrypted passwords of over 6.4 million SHEIN customers were stolen over the summer after the women’s retailer said it suffered a “concerted criminal cyberattack” on its computer network.

The data breach occurred between June and August 2018, the company said in a recent statement. SHEIN said that the breach was tied to a cyberattack on its computer network that led to malware being planted on its servers.

“While the full extent of the attack will continue to be investigated, it can now be confirmed that the personal information illegally acquired by the intruders included email addresses and encrypted password credentials of customers who visited the company website,” the company said.

SHEIN didn’t specify to Threatpost which specific system(s) was breached other than to say that the backdoor entry points to the servers opened by the attackers have been closed. The company also said that malware found on the servers has been mitigated.

The company said it is currently notifying impacted customers while continuing to investigate the matter. SHEIN said it has not yet seen evidence that credit card information was also compromised during the breach and the company also stressed it typically does not store credit card information on its systems.

Retail stores continue to be juicy targets of cyber criminals seeking customer data, passwords, payment card info and other personally identifiable information which can then be sold on the dark web.

In April, hackers stole credit and debit card information from millions of consumers who have shopped at Saks Fifth Avenue and Lord & Taylor stores. Parent company, Hudson’s Bay Company, confirmed the security breach on Sunday, stating that customer payment card data at certain Saks Fifth Avenue, Saks Off 5TH and Lord & Taylor stores in North America are impacted.

In SHEIN’s case the breach appears to be tied to malware on its own servers, as opposed to a cyberattack that impacted Sears Holdings in April. The Sears breach didn’t stem from malware planted on its own systems – it came from malware on third-party partner [24]7.ai, a company that provides online chat services. In that case [24]7.ai was attacked by hackers who were able to use the company’s compromised chat platform to collect payment information from Sears customers.

Several threat actors are are also known for targeting the retail segment with their malware strains – including point-of-sale specific malware targeting outlets such as Forever 21. There is also the recent headline-grabbing Magecart  group, which has been scooping up data from retailers such as NewEgg.