Data from Sephora and StreetEasy data breaches added to HIBP

Pierluigi Paganini October 07, 2019

The popular data breach notification service Have I Been Pwned? (HIBP) has added the stolen data from the StreetEasy and Sephora data incidents.

Have I Been Pwned? (HIBP), the popular service that allows users to check whether their personal data has been compromised by data breaches has added the stolen data from the StreetEasy and Sephora data incidents.

Users can check if their data have been exposed in the StreetEasy and Sephora data breaches.

The StreetEasy data breach took place in the mid-2016 and exposed 988k records that included names, usernames, email addresses and SHA-1 password hashes. The data has been available for sale in the cybercrime underground since February. In February, Gnosticplayers hacker offered a third round of databases containing millions of hacked accounts from unreported data breaches, including Streeteasy (Real estate) with 990,000 records.

“In approximately June 2016, the real estate website StreetEasy suffered a data breach. In total, 988k unique email addresses were included in the breach alongside names, usernames and SHA-1 hashes of passwords, all of which appeared for sale on a dark web marketplace in February 2019. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.” reads HIBP.

New breach: StreetEasy had 988k records breached in mid-2016 which then appeared for sale in Feb this year. Impacted data includes names, usernames, email addresses and SHA-1 password hashes. 87% of addresses were already in @haveibeenpwned. Read more: https://t.co/WroT472FVU
— Have I Been Pwned (@haveibeenpwned) October 6, 2019

HIBP also included data from a data breach suffered by Sephora Southeast Asia in January 2017 that exposed data for 780,073 customers, including customer’s dates of birth, email addresses, ethnicities, genders, names, and physical attributes.

“In approximately January 2017, the beauty store Sephora suffered a data breach. Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.” reads HIBP.

New breach: Sephora South East Asia and ANZ had 780k records breached in 2017. Impacted data includes names, emails, genders, DOBs, ethnicities and other personal data. 78% of addresses were already in @haveibeenpwned. Read more: https://t.co/Q32t5EAULw
— Have I Been Pwned (@haveibeenpwned) October 6, 2019

Data from the Sephora data breach has been seen being also sold on online hacker forums.

Users impacted by the data breaches have to change their passwords also on every site that shares the same credentials.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – StreetEasy, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]

data breach Hacking hacking news HIBP information security news Pierluigi Paganini Security Affairs Security News Sephora StreetEasy

Pierluigi Paganini June 27, 2025

Taking over millions of developers exploiting an Open VSX Registry flaw

Pierluigi Paganini June 27, 2025