Eyewear giant Luxottica has confirmed a data breach exposed the personally identifiable information of more than 70 million consumers.

Luxottica is the world's largest manufacturer of glasses and prescription frames and owner of popular brands including Ray-Ban, Chanel, Burberry, Giorgio Armani, Versace, Michael Kors and others.

The leaked database, with over 300 million customer records (allegedly from a 2021 data breach) from the US and Canada, including names, emails, phone numbers, addresses, and dates of birth, was provided free of charge on a leak website between April 30 and May 12.

The company told BleepingComputer that the leaked data stemmed from a security incident at a third-party vendor. However, the company did say it became aware of the incident via a post on the now-defunct ‘Breached’ hacking forum where one user was attempting to sell the stolen database.

“We first learned of the incident from a third-party post on the dark web in November 2022,” Luxottica explained.

Luxottica also said that it contacted the Italian law enforcement and data protection authority, as well as the FBI. The company also claimed that no financial information, credentials or Social Security Numbers were leaked. The investigation is ongoing.

“We discovered through our proactive monitoring procedures that certain retail customer data, allegedly obtained through a third-party related to Luxottica retail customers, was published in an online post,” Luxottica told BleepingComputer researchers.

“From our investigation, which is still going on, we know so far that the data primarily consists of customer contact details including names, addresses, phone numbers, emails and dates of birth. The data does not include individuals’ financial information, social security numbers, login or password data or other information that would compromise the safety of our customers.”

According to Troy Hunt, security consultant and owner of the Have I Been Pwned platform, the leaked records include 77,093,812 unique accounts, 74% of which were also part of previously known data breaches/leaks.

Does older leaked data still pose a danger to you?

Seemingly minor data breaches can still pose significant privacy risks. For example, you may have changed an email, phone number or home address, but your name and date of birth remain the same.

Although non-sensitive personal data exposed in data leaks may not put users at immediate risk, cybercriminals may still put this information to use by:

• Conducting social engineering attacks – any personal information that the attacker has on the user can help improve the chances of success of phishing attacks
• Using exposed PII for doxing purposes to harass, stalk, impersonate or conduct identity theft against victims

Not sure whether your information was stolen or made public on the internet? Check now with Bitdefender Digital Identity Protection and continuously monitor for exposed personal information online, with:

• Specialized dashboard offering a complete view of your digital footprint, including traces from services you no longer use
• 24/7 data breach and data leak monitoring and alerts
• Intuitive, 1-click action items to instantly fix any weak points in your digital footprint