Luxottica has confirmed one of its partners suffered a data breach in 2021 that exposed the personal information of 70 million customers after a database was posted this month for free on hacking forums.
Luxottica is the world’s largest eyewear company, glasses, and prescription frames maker, and the owner of popular brands like Ray-Ban, Oakley, Chanel, Prada, Versace, Dolce and Gabbana, Burberry, Giorgio Armani, Michael Kors, and many other. The company also operates Eyemed, a vision insurance company in the US.
In November 2022, a member of the now-defunct “Breached” hacker forum attempted to sell what he claimed to be a 2021 database containing 300 million records of personal information related to Luxottica customers in the United States and Canada.
According to the seller, the database contained customers' personal information, such as email addresses, first and last names, addresses, and date of birth.
The dump was offered for a private sale at the time on Breached, so it was not clear if the data was stolen in a new attack or during two attacks the company was impacted by in 2020.
Luxottica
suffered a data breach in August 2020 that exposed the personal information of 829,454 EyeMed and Lenscrafters patients. The following month, Luxottica once again suffered an attack,
this time a ransomware attack that shut down the company's operations in Italy and China.
However, more recently, the database was leaked in its entirety for free on April 30th and May 12th, 2023, on different hacking forums, making the data far more accessible to threat actors.
Andrea Draghetti, the leading researcher of the Italian cybersecurity firm D3Lab, analyzed the leaked data and confirmed to BleepingComputer that it contains 305 million lines, 74.4 million unique email addresses, and 2.6 million unique domain email addresses.
Draghetti also determined the exfiltration date to be March 16th, 2021, based on the most recent database records, which meant that the data likely originated from a previously undisclosed data breach.
