Luxottica admits massive data breach: 70M user accounts compromised in 2021 cyber attack

IT Services confirms that one of its partners suffered a data breach in 2021 that exposed the personal information of 70 million customers after a database was posted this month for free on hacking forums.

IT Services partner, Luxottica, is the world’s largest eyewear company, glasses, and prescription frames maker. It is the owner of popular brands like Ray-Ban, Oakley, Chanel, Prada, Versace, Dolce and Gabbana, Burberry, Giorgio Armani, Michael Kors, and many others. The company also operates Eyemed, a vision insurance company in the US.

In November 2022, a member of the now-defunct “Breached” hacker forum attempted to sell a 2021 database containing 300 million records of personal information related to Luxottica customers in the United States and Canada.

According to the seller, the database contained customers’ personal information, such as email addresses, first and last names, addresses, and date of birth.

The dump was offered for a private sale at the time on Breached, so it was not clear if the data was stolen in a new attack or during two attacks that impacted the company in 2020.

Luxottica suffered a data breach in August 2020 that exposed the personal information of 829,454 EyeMed and Lenscrafters patients. The following month, Luxottica once again suffered an attack, this time a ransomware attack that shut down the company’s operations in Italy and China.

However, more recently, the database was leaked in its entirety for free on April 30th and May 12th, 2023, on different hacking forums, making the data far more accessible to threat actors.

Andrea Draghetti, the leading researcher of the Italian cybersecurity firm D3Lab, analyzed the leaked data and confirmed to us that it contains 305 million lines, 74.4 million unique email addresses, and 2.6 million unique domain email addresses.

Draghetti also determined the exfiltration date to be March 16th, 2021, based on the most recent database records, which means that the data likely originated from a previously undisclosed data breach.

How are Razer and Luxottica addressing the data breach issues and protecting their users?

Razer investigates data breach allegations to safeguard its users. The tech company is committed to maintaining privacy and security by promptly addressing any breach concerns. Similarly, Luxottica, known for its eyewear brands, ensures user protection by implementing strict security measures. Both companies prioritize their users’ data security, defending against potential breaches.

Luxottica confirms new breach

After we contacted Luxottica about the published data, the company confirmed that the leaked data came from a security incident that impacted a third-party contractor holding customer data.

The company added that its investigation of the incident is still underway. However, it has already determined that the exposed data contains full customer names, emails, phone numbers, addresses, and dates of birth.

“We discovered through our proactive monitoring procedures that certain retail customer data, allegedly obtained through a third-party related to Luxottica retail customers, was published in an online post.

We immediately reported the incident to the FBI and the Italian Police. The owner of the website where the data was posted has been arrested by the FBI, the website was shut down, and the investigation is ongoing. The Italian data protection authority has also been notified, and we are considering other notification obligations.

From our investigation, which is still ongoing, we know so far that the data primarily consists of customer contact details, including names, addresses, phone numbers, emails, and dates of birth. The data does not include individuals’ financial information, social security numbers, login or password data, or other information that would compromise the safety of our customers.

EssilorLuxottica remains confident that its systems were not breached, and its network remains secure.” – Luxottica

When asked when they first realized the breach, a Luxottica spokesperson answered: “We first learned of the incident from a third-party post on the dark web in November 2022.”

Troy Hunt, the owner of the “Have I Been Pwned” (HIBP) data breach notification service, told us that the leaked data includes 77,093,812 unique accounts, 74% of which are already in the platform’s records.

Hunt also informed us that HIBP will send out over 320,000 notices of a breach to subscribers of the platform today concerning the 2021 Luxottica data breach.

To check if your information was exposed in this breach, you can visit the HIBP site and search for your email address on the main page, and the site will list all data breaches that your email address was exposed.