Data breach lookup site Have I Been Pwned has added the stolen data from the StreetEasy and Sephora data breaches to their engine so that users can check if their information was exposed.
According to HIBP, StreetEasy was hit with a data breach in June 2016 that disclosed the information for close to 1 million users. This information included email addresses, names, passwords, and usernames,
“In approximately June 2016, the real estate website StreetEasy suffered a data breach. In total, 988k unique email addresses were included in the breach alongside names, usernames and SHA-1 hashes of passwords, all of which appeared for sale on a dark web marketplace in February 2019. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.”
HIBP also stated that Sephora Southeast Asia was breached in January 2017 and the data for 780,073 customers was stolen. The data stolen included customer’s dates of birth, email addresses, ethnicities, genders, names, and physical attributes
“In approximately January 2017, the beauty store Sephora suffered a data breach. Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.”
The data for both of these breaches has been seen being sold and traded on online hacker forums.
Using this data, attackers can attempt to gain access to an affected user’s other accounts through the use of credential stuffing. Credential stuffing is when attackers try to access accounts at sites using the credentials disclosed in data breaches from other sites.
Due to this, it is strongly advised that everyone use unique passwords at every site they register an account. This way if one site is hacked and customer information is stolen, it won’t impact other sites that you have an account.
Checking if you are in the breaches
If you are a customer of either of these companies and did not receive a notification or you are concerned your information is part of the breach, you can now check on the Have I Been Pwned site.
To do this, simply go to https://haveibeenpwned.com and enter your email address in the search field and click on the pwned? button.
The site will check its databases for your email address and list any data breaches that are being monitored for your information.