Sephora customers are reporting login issues in which they are accidentally given access to other users’ accounts.
This issue was noted on Reddit as recently as September. However, the issue appears to be becoming more pronounced as more users log onto the company’s site to take advantage of their Fall sale.
Users have reported issues logging in, problems with the website itself, receiving incorrect orders—and, most concerningly, gaining full access to other users’ accounts.
“Huge security breech!” reads one post on Reddit. “I’m logged in as another person! Something is seriously going wrong with Sephora right now.” In a comment, another user added, “I could see someone’s full order history and location.”
Now, a user on TikTok has sparked discussion after alleging they experienced the same issue.
“If you have a Sephora account, I need you to change your password right now,” says TikTok user @balancedbeautylover in a video with over 483,000 views as of Sunday.
@balancedbeautylover Major 🚩🚩🚩 and Sephora security issue. Check your account. Change your password. Protect your information and contact Sephora immediately if you see any changes. #sephora #sephorasale #accountsecurity #beauty #skintok ♬ original sound – BalancedBeautyLover
“I was logged into some random woman’s account in New York,” the TikToker says. “And I’m not talking about, ‘I logged in and maybe put in some wrong information’—I’m talking about, I just went to Sephora.com and was automatically logged into this woman’s account.”
“I could see her credit card information, I could see her address, her email address, what she was ordering,” the TikToker continues. “She was ordering something in real time as I was online!”
The video closes with the TikToker advising customers to check their information on the site and to change their passwords to prevent any malicious actors from taking control of their accounts.
While frequently changing passwords is good cybersecurity advice, it may not resolve the issue at hand, as users are reporting that they can access other users’ accounts without a password.
This problem is not unheard of in the world of cybersecurity. Last month, some T-Mobile customers reported that they were able to access other users’ accounts via the company’s app. T-Mobile claimed that the issue was the result of a “technology update” glitch and said that the problem was promptly resolved.
There has been no update from Sephora regarding this issue, though they have confirmed to numerous users on X (formerly Twitter) that their “teams are currently working to fix any issues on the app and website.”
In the comments section of the TikToker’s video, users shared a multitude of issues with the website, with many saying that they’ve decided to delete their personal and payment information from the site.
“Thanks. I changed it and deleted my card details to be safe,” a user said.
“Changed password and removed my card to be safe,” echoed another.
The Daily Dot reached out to the TikToker and Sephora via email.
Sign up to receive the Daily Dot’s Internet Insider newsletter for urgent news from the frontline of online.
Source: https://www.dailydot.com/news/sephora-accounts-security-breach/