Share this article on:
The personal data of 70 million customers of a major eyewear company have been posted to hacking forums for free.
The world’s largest eyewear organisation, Luxottica, has revealed that it was the victim of a major cyber attack, which led to the data of over 70 million customers being exposed.
“We discovered through our proactive monitoring procedures that certain retail customer data, allegedly obtained through a third-party related to Luxottica retail customers, was published in an online post,” the company said.
The company is the parent organisation to major brands such as Chanel, Dolce and Gabbana, Oakley, Prada, Versace, Burberry, Ray-Ban, Giorgio Armani, and Michael Kors, among others.
The Luxottica customer data was leaked on multiple hacking forums on 30 April and 12 May for free after hackers had failed to sell what was advertised as a 2021 database containing 300 million records in November 2022 on the former “breached” forum.
It was initially unclear when the database was obtained, believed to be either during the two attacks that affected Luxottica in 2020 or in a more recent breach.
D3Lab’s Andrea Draghetti said that analysis of the leak revealed that 74.4 million unique email addresses, 2.6 million unique domain email addresses and 305 million lines were exposed.
Some details:
— Andrea Draghetti ??? ? (@AndreaDraghetti) May 12, 2023
* 305.759.991 on luxottica_nice.csv
* 74.417.098 unique email address
* 2.590.076 unique domain mail
I don't think it's the data from the ransomware attack.
It is probably the data put up for sale on RaidForum, now relase for free! pic.twitter.com/62uQWT4YQB
It was previously believed that the data might have been obtained during two prior attacks on Luxottica that occurred in 2020. The first occurred in August 2020 and saw the personal data of 829,454 EyeMed and LensCrafters customers exposed, both of which are companies under the Luxottica banner.
Only a month later, a ransomware attack struck Luxottica, bringing its China and Italy activities to a standstill.
However, some researchers, such as Draghetti, believed that a third, undisclosed attack may have been responsible for the breach. Luxottica has since confirmed this and said that it first learned of the latest attack in November 2022.
According to “Have I Been Pwnd’s” Troy Hunt via Bleeping Computer, the leaked data contains 77,093,812 unique accounts.
Luxottica has said it is currently investigating and that while personal information was lost, no financial information was compromised.
“From our investigation, which is still going on, we know so far that the data primarily consists of customer contact details, including names, addresses, phone numbers, emails and dates of birth,” it said.
“The data does not include individuals’ financial information, social security numbers, login or password data or other information that would compromise the safety of our customers.”
Luxottica said that it has contacted both the Italian Police and the FBI, the latter of which has reportedly arrested the leak website’s owner.