Luxottica confirms 2021 data breach after 70 million information compromised online

Luxottica has confirmed that one of its partners suffered a data breach in 2021, which exposed the personal information of 70 million customers after the database was released for free on a hacker forum in May 2023.

Luxottica is the world's largest eyewear company and manufacturer of eyeglasses and prescription frames, with a number of well-known brands such as Ray-Ban, Oakley, Chanel, Prada, Versace, Dolce & Gabbana, Burberry, Giorgio Armani and Michael Kors. The company also operates Eyemed, a vision insurance company in the United States.

In November 2022, a member of the now-defunct "Breached" hacking forum attempted to sell what he claimed was a 2021 database containing 300 million records of personal information related to Luxottica customers in the United States and Canada.

According to the seller, the database contained personal information about customers, such as email addresses, first and last names, addresses and dates of birth.

The dump was then being sold privately on Breached, so it is unclear whether the data was stolen in a new attack or in the two attacks on the company in 2020.

Luxottica suffered a data breach in August 2020 that exposed the personal information of 829,454 EyeMed and Lenscrafters patients. The following month, Luxottica was attacked again, this time with a ransomware attack that led to the closure of the company's operations in Italy and China.

More recently, however, the database was leaked for free on April 30 and May 12, 2023, on different hacker forums, making the data more accessible to threat actors.

Andrea Draghetti, lead researcher at Italian cybersecurity firm D3Lab, analyzed the leaked data and confirmed to BleepingComputer that it contained 305 million rows, 74.4 million unique email addresses and 2.6 million unique domain email addresses.

Draghetti also identified the date of the breach as March 16, 2021, based on the most recent database records, which means the data may have originated from a previously undisclosed data breach.

Luxottica confirmed that the compromised data came from a security incident that affected a third-party contractor that held customer data.

The company added that its investigation into the incident is still ongoing. However, it has determined that the exposed data contained complete customer names, emails, phone numbers, addresses and dates of birth.