Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Hackers post the data of 70m eyewear customers online for free

The personal data of 70 million customers of a major eyewear company have been posted to hacking forums for free.

user icon Daniel Croft
Mon, 22 May 2023
Hackers post the data of 70m eyewear customers online for free
expand image

The world’s largest eyewear organisation, Luxottica, has revealed that it was the victim of a major cyber attack, which led to the data of over 70 million customers being exposed.

“We discovered through our proactive monitoring procedures that certain retail customer data, allegedly obtained through a third-party related to Luxottica retail customers, was published in an online post,” the company said.

The company is the parent organisation to major brands such as Chanel, Dolce and Gabbana, Oakley, Prada, Versace, Burberry, Ray-Ban, Giorgio Armani, and Michael Kors, among others.

The Luxottica customer data was leaked on multiple hacking forums on 30 April and 12 May for free after hackers had failed to sell what was advertised as a 2021 database containing 300 million records in November 2022 on the former “breached” forum.

It was initially unclear when the database was obtained, believed to be either during the two attacks that affected Luxottica in 2020 or in a more recent breach.

D3Lab’s Andrea Draghetti said that analysis of the leak revealed that 74.4 million unique email addresses, 2.6 million unique domain email addresses and 305 million lines were exposed.

It was previously believed that the data might have been obtained during two prior attacks on Luxottica that occurred in 2020. The first occurred in August 2020 and saw the personal data of 829,454 EyeMed and LensCrafters customers exposed, both of which are companies under the Luxottica banner.

Only a month later, a ransomware attack struck Luxottica, bringing its China and Italy activities to a standstill.

However, some researchers, such as Draghetti, believed that a third, undisclosed attack may have been responsible for the breach. Luxottica has since confirmed this and said that it first learned of the latest attack in November 2022.

According to “Have I Been Pwnd’s” Troy Hunt via Bleeping Computer, the leaked data contains 77,093,812 unique accounts.

Luxottica has said it is currently investigating and that while personal information was lost, no financial information was compromised.

“From our investigation, which is still going on, we know so far that the data primarily consists of customer contact details, including names, addresses, phone numbers, emails and dates of birth,” it said.

“The data does not include individuals’ financial information, social security numbers, login or password data or other information that would compromise the safety of our customers.”

Luxottica said that it has contacted both the Italian Police and the FBI, the latter of which has reportedly arrested the leak website’s owner.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.