Beauty product retailer Acro revealed that customers of two of its websites were impacted, exposing more than 100,000 payment cards. The attack compromised the “Three Comsetics” and “Amplitude” websites and 89,295 and 103,935 credit card details were exposed respectively.
The stolen data included cardholder names, payment card numbers, dates of expiry, and security codes. It’s also possible that some usernames and passwords may have been leaked, said Acro.
Potential victims of this attack could be anyone who made purchases on either of the two sites between May 21, 2020, and August 18, 2021.
A third-party investigation began on August 24 and established certain details about the leak on October 22. The breach was subsequently reported to law enforcement and Japan’s Personal Information Protection Commission.
The retailer said it started notifying affected customers by email from February 24. Potential victims have been urged to monitor their financial statements for suspicious activity and reset passwords on vulnerable online accounts.
Acro apologized to customers about the breach and promised to bolster its cybersecurity based on the investigation’s conclusions, including by relaunching its websites and taking measures to prevent unauthorized logins.
It said it was also working with credit card companies to continuously monitor transactions and prevent fraudulent use.