2 min read

Malware steals passwords from 6.4 million SHEIN customers


September 26, 2018

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Malware steals passwords from 6.4 million SHEIN customers

Women’s fashion retailer SHEIN has suffered a major security breach that has exposed the personal information and passwords of over six million customers.

In a press statement, SHEIN reveals that it discovered on August 22 2018 that malicious hackers had compromised its computer network, and that between June and early August 2018 customer email addresses and “encrypted password credentials” had been stolen.

According to the company, malware had opened backdoors on corporate servers through which the attackers had stolen data associated with approximately 6.42 million customers.

What hasn’t been disclosed is how the malware came to be planted on SHEIN’s servers, and says it is against its policy to discuss the specific details, but SHEIN does say that the security holes exploited by the hackers have now been closed.

From the description, the attack against SHEIN does not appear to bear the hallmarks of the Magecart attacks which have impacted a number of sites in recent months, including Ticketmaster.

Fortunately, SHEIN says that it does not typically store payment card information on its systems, and there is no evidence to suggest that customers’ credit card details might have been stolen.

SHEIN says that it is reaching out to customers advising that passwords are changed, and is offering one year’s worth identity threat monitor for “affected customers in certain markets.”

In an FAQ, SHEIN tells users that they can reset their password by clicking on a link in an email they are sending users, or by manually visiting the SHEIN website, and after logging in, clicking the “Edit Password” link under the “Account Setting” page.

My advice is that you should visit the website to change your password, and *not* click on a link in an email. After all, now the breach is public knowledge it wouldn’t be too surprising if a criminal attempted to cause even more mayhem by spamming customers with a bogus email that *pretends* to come from SHEIN but really points to a site under the control of the hackers.

Furthermore, if you are concerned that your SHEIN password may have been compromised, please please do make sure that you are not using that same password on any other website.

Password reuse is one of the most common errors made by internet users. Every time you use the same password on different websites, you are increasing the chances that a hacker will be able to successfully exploit credentials stolen during an attack on one site to break into other accounts you may own online.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like