Sephora has emailed customers in the Southeast Asia region to inform them it has discovered a breach that occurred within the last fortnight.
"We understand how important your personal information is and value the trust you place in us to protect it," the email penned by Sephora SEA managing director Alia Gogi said.
"Over the last two weeks, we discovered a breach in data related to some customers who have used our online services in Singapore, Malaysia, Indonesia, Thailand, Philippines, Hong Kong SAR, Australia, and New Zealand."
Sephora said some personal information may have been exposed to unauthorised third parties, including first and last name, date of birth, gender, email address, and encrypted password, as well as data related to beauty preferences.
The company said that no credit card information was accessed, and the email continued to say that Sephora has no reason to believe that any personal data has been misused.
Once Sephora became aware of the incident, it said it immediately appointed independent experts to help investigate. It said as soon as it was able to verify the details of the incident, it notified affected customers.
"We are sorry for any concern or inconvenience this may cause you," the email from Gogi said.
"As a precaution, we have cancelled all existing passwords for customer accounts and have thoroughly reviewed our security systems. We are also offering a personal data monitoring service, at no cost to you, through a leading third-party provider."
Sephora recommends customers set up a new password and register for the free personal data monitoring service.
"We would like to assure you that we will continue to take all necessary steps to protect your privacy," it continued.
Those that shop in physical stores and do not use the company's online services or mobile app are not impacted by this incident as it was limited to a database that serves Sephora's Southeast Asia, Hong Kong SAR, Australia, and New Zealand customers that use online services.
- Over 10 million people hit in single Australian data breach: OAIC
- NAB admits it shared personal info on 13,000 customers with two external parties
- Australian National University breached with 19 years of data accessed
- Australian tech unicorn Canva suffers security breach
- Facebook initially considered breach not eligible for notification in Australia
- Singapore suffers 'most serious' data breach, affecting 1.5M healthcare patients including Prime Minister