This article is more than 1 year old

Gotcha, Tatcha! Thieves hide in servers to hoover up victims' bank card numbers mid-order

Beauty website suffers ugly IT security breach

Cosmetics peddler Tatcha is warning customers after hackers were able to compromise its website and harvest payment card details as orders poured in.

The US branch of the Japanese biz has been sending notices this month to customers whose card details were apparently stolen on January 8 of this year and discovered in April.

"During the early part of 2017, an unauthorized person may have gained access to information keyed into the Tatcha checkout process," Tatcha's notice reads.

"While Tatcha does not store credit card information on its systems, the intruder was potentially able to capture information as it was entered."

Tatcha said the card numbers were not taken from any of its databases, but rather appear to have been grabbed directly from the order page itself. While the company does not give full details, it seems the retail site was compromised, making the incident in many ways similar to the cash register malware breaches that have affected brick-and mortar retailers in recent years. This is opposed to a typical smash-and-grab raid on, say, a database of customer payment details.

Tatcha did not say how many of its customers were compromised in the attack, though it has filed a breach notification with the California Attorney General – meaning at least 500 residents of that state were impacted.

The lifted data includes card number, expiration date, and security codes. This means the attackers have everything they need to charge orders to the pilfered cards. The attackers were also able to lift account passwords and email addresses.

Anyone who receives the notice from Tatcha would be well advised to cancel their payment card immediately, and review all statements since January for unauthorized charges.

Tatcha says it will be providing customers whose cards were stolen with two years of free identity theft monitoring and protection from AllClear ID. Customers will need to contact AllClear ID and enroll in the service themselves. ®

PS: Edmodo, a classroom-learning tech outfit with 78 million registered users, has been hacked, spilling account email addresses and bcrypt-hashed passwords.

More about

More about

More about


Send us news

Other stories you might like