Massive Luxottica Data Breach Compromises Personal Information of 70 Million Customers

• Luxottica, the world’s largest eyewear company, confirmed a data breach from 2021 that exposed the personal information of 70 million customers. This breach occurred at one of Luxottica’s partners, and the stolen data includes full customer names, emails, phone numbers, addresses, and dates of birth. The data was initially offered for sale on a hacker forum in November 2022 and was subsequently leaked for free on other forums in April and May 2023​.
• The data breach is still under investigation, with Luxottica and third-party sources such as the founder of “Have I Been Pwned,” Troy Hunt, working to notify affected individuals. The incident underscores the importance of robust cybersecurity measures and proactive monitoring for companies handling large volumes of personal customer data​.

Luxottica, the world’s leading eyewear company and owner of renowned brands such as Ray-Ban, Oakley, Chanel, Prada, Versace, Dolce and Gabbana, Burberry, Giorgio Armani, and Michael Kors, among others, has verified a 2021 data breach involving one of its partners. The breach exposed the personal information of 70 million customers after a database containing this data was freely shared on various hacking forums.

In November 2022, a hacker from the now-defunct “Breached” forum attempted to sell what they claimed to be a 2021 database containing 300 million records of Luxottica customers from the United States and Canada. The alleged database reportedly held personal information such as email addresses, first and last names, addresses, and dates of birth. Initially offered for private sale, it raised questions about whether the data was obtained during a new attack or from previous breaches Luxottica experienced in 2020.

However, the database was later leaked in its entirety and made freely available on hacking forums on April 30th and May 12th, 2023, significantly increasing the data’s accessibility to potential threat actors. Andrea Draghetti, the leading researcher of Italian cybersecurity firm D3Lab, analyzed the leaked data and confirmed the database’s size and contents. The database contained 305 million lines, 74.4 million unique email addresses, and 2.6 million unique domain email addresses. Based on the most recent database records, Draghetti determined the exfiltration date to be March 16th, 2021, suggesting the data originated from a previously undisclosed breach.

Luxottica confirmed that the leaked data resulted from a security incident impacting a third-party contractor that held customer data. The incident is still under investigation, but Luxottica has verified that the exposed data includes full customer names, emails, phone numbers, addresses, and dates of birth. Luxottica became aware of the breach when it discovered a third-party post on the dark web in November 2022. The company immediately reported the incident to the FBI and the Italian Police, leading to the arrest of the website owner and the shutdown of the website where the data was posted.

Third-party sources have also reported on the breach, indicating that Luxottica began notifying affected individuals when it became clear that consumer information had been compromised. Troy Hunt, the founder of “Have I Been Pwned,” announced that a total of 77,093,812 accounts were affected by the incident and will be sending data breach notifications to over 320,000 individuals.

Reference
Toulas, B. (2023, May 19). Luxottica confirms 2021 data breach after info of 70M leaks online. BleepingComputer. https://www.bleepingcomputer.com/news/security/luxottica-confirms-2021-data-breach-after-info-of-70m-leaks-online/