Luxury Cosmetics Giant Rituals Discloses Data Breach Affecting Over 1.2 Million Member Records
What Happened – Rituals announced that an unauthorized actor accessed its customer‑relationship database, exposing personal details (names, email addresses, purchase history, and hashed passwords) of roughly 1.2 million members. The breach was discovered during a routine security audit and is believed to stem from a mis‑configured cloud storage bucket.
Why It Matters for TPRM –
- Third‑party consumer data stores are a frequent target for credential‑stuffing and phishing campaigns.
- A breach at a high‑profile retail brand can cascade to partner ecosystems (e‑commerce platforms, marketing agencies, logistics providers).
- Exposure of hashed passwords increases credential‑reuse risk across other vendor relationships.
Who Is Affected – Retail & e‑commerce (cosmetics), CRM/marketing service providers, any downstream partners handling Rituals’ customer data.
Recommended Actions –
- Verify that your organization does not store or process Rituals‑derived data; if it does, enforce MFA and rotate credentials.
- Review cloud‑storage configuration controls of any shared services with Rituals or similar vendors.
- Conduct a risk‑based assessment of third‑party data‑handling agreements and update breach‑notification clauses.
Technical Notes – The incident appears to be a cloud‑storage misconfiguration (publicly accessible S3‑like bucket) that allowed read‑only access to the customer database. No public CVE was linked, but the exposure included PII and salted SHA‑256 password hashes. Source: Security Affairs – Newsletter Round 574