Personal data from 3.7 million Sephora customers has made its way onto the dark web and is now for sale, according to an international cybersecurity company.
The data which includes full names, date of birth, gender, email address, ethnicity information, beauty preferences and passwords of the French cosmetics retailers' online users is reportedly for sale on the dark web for USD $1900 (NZ$2900).
The dark web is a part of the internet which is not visible by regular search engines.
Singapore-based cyber security firm Group-IB says it came across two customer databases with personal data on "undergrounds forums" that are "likely to be related to Sephora".
Group-IB said the first database for sale was advertised on two separate pages on July 6 and July 17. It said that the database had the records of 500,000 Sephora customers in Indonesia and Thailand.
Details provided on the listing from the seller show that the data comes from February 2019, Group-IB said in a statement.
A second database was advertised on a forum on July 28 - a day before the retail giant announced the data breach to its online users in eight countries, including New Zealand, Australia and a handful of countries in South East Asia.
Group-IB said the second database was listed under the name "Sephora 2019/03 – Shopping - [3.2 million]" and contained 3.2 million records, leaked in March 2019.
In the email sent to Sephora customers, the retailer said a data breach that affected "some customers" had resulted in personal information "exposed to unauthorised third parties".
Sephora said no credit card information was accessed.
On Monday, Beth Glancey, Sephora Australia and New Zealand country manager, said the retailer had identified the security incident over the last two weeks, and had no evidence of its customers' personal information being misused.
It said that it would offer its customers affected by the data breach a free subscription to a data monitoring service through third party supplier Experian.
Group-IB said the personal data exposed in the breach put customers at risk of phishing attacks and identity theft.
"Even though the records do not include any payment information or decrypted passwords, such detailed information about the customers can be used to carry out social engineering or targeted phishing attacks that is why the scale of the breach shouldn't be underestimated," company founder and chief executive Ilya Sachkov said in a statement.
"As a precaution, we advise all customers who had accounts at Sephora to change their password, especially if they use the same login/password pair across multiple services, such as email and social media accounts, to avoid them being compromised."
A spokeswoman for Sephora said the retailer was investigating the matter.
"We are still investigating with the help of forensic cyber experts appointed immediately upon discovery of the incident. We cannot speculate on the number of individuals impacted until the investigation concludes."
No customer credit card information had been exposed in the data breach, the spokeswoman said.