Luxury Cosmetics Brand Rituals Confirms Data Breach Affecting 'My Rituals' Loyalty Program Members

Rituals Cosmetics Data Breach Exposes Personal Info of 'My Rituals' Members

HIGH
April 23, 2026
April 29, 2026
4m read
Data BreachPhishing

Impact Scope

People Affected

Potentially up to 40 million members

Industries Affected

Retail

Geographic Impact

Netherlands (regional)

Related Entities(initial)

Organizations

Autoriteit Persoonsgegevens

Other

Rituals Cosmetics

MITRE ATT&CK Techniques

T1041Exfiltration

Exfiltration Over C2 Channel

T1190Initial Access

Exploit Public-Facing Application

T1213Collection

Data from Information Repositories

Full Report(when first published)

Executive Summary

Rituals Cosmetics, an Amsterdam-based luxury cosmetics giant, has disclosed a significant data breach affecting members of its "My Rituals" loyalty program. The incident, discovered in April 2026, resulted in unauthorized access to and exfiltration of customer personal information. The compromised data includes full names, physical addresses, phone numbers, email addresses, and dates of birth. The company has stated that financial data and passwords were not affected. Rituals has notified the relevant authorities, including the Dutch Data Protection Authority, and is actively communicating with affected customers, warning them to be vigilant against follow-on phishing campaigns that could leverage the stolen data for social engineering.

Threat Overview

On April 22, 2026, Rituals began sending email notifications to customers whose data was compromised. The breach exposed a significant amount of Personally Identifiable Information (PII) from the "My Rituals" loyalty program, which boasts over 40 million members globally. While the company has not disclosed the exact number of affected individuals, the notifications sent to customers across several European countries suggest a wide-ranging impact.

The attackers gained unauthorized access to a database containing customer information and downloaded the data. The specific attack vector has not been disclosed by the company. As of now, no ransomware or extortion group has claimed responsibility, and the data has not been observed for sale on known dark web marketplaces. However, the nature of the stolen data makes it highly valuable for identity theft, credential stuffing, and sophisticated phishing attacks.

Technical Analysis

While technical details of the intrusion are scarce, the incident can be classified as a data breach targeting customer PII. The attack likely involved exploiting a vulnerability in a web application, API, or database server that housed the "My Rituals" loyalty program data.

Potential Attack Scenarios

  • Web Application Vulnerability: An exploit against the customer portal, such as SQL Injection or a misconfiguration, could have allowed attackers to query and exfiltrate the database.
  • API Compromise: Unsecured or poorly authenticated APIs connected to the loyalty program could have been abused to enumerate and download customer records.
  • Credential Compromise: Stolen credentials of an employee or service account with access to the customer database could have provided the initial foothold.

MITRE ATT&CK Mapping

Impact Assessment

The immediate impact on Rituals Cosmetics includes significant reputational damage and potential regulatory fines under GDPR, given its base in the EU and the nature of the compromised data. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) will likely launch an investigation.

For the millions of affected customers, the risks are substantial:

  • Phishing and Scams: Attackers can use the combination of name, email, address, and phone number to craft highly convincing and personalized phishing emails or SMS messages (smishing).
  • Identity Theft: The stolen data, particularly name, address, and date of birth, is a core component for committing identity fraud.
  • Credential Stuffing: While passwords were not stolen, attackers can use the list of email addresses to attempt to log into other services where users might have reused passwords.

The company's swift notification is a positive step, but the sheer volume of data and the sensitivity of the PII make this a high-severity incident for customers.

IOCs — Directly from Articles

No Indicators of Compromise were mentioned in the source articles.

Cyber Observables — Hunting Hints

As this is a breach of a third-party company, direct hunting is not possible for end-users. However, organizations can hunt for secondary effects:

Type
Email Subject
Value/Pattern
Patterns like "Rituals Account Security Alert", "My Rituals Membership Update"
Context / Where to look
Inbound email gateway logs. Look for campaigns targeting employees who may be Rituals customers.
Type
URL Pattern
Value/Pattern
Lookalike domains such as rituals-security.com, my-rituals.net
Context / Where to look
DNS logs, web proxy logs. Proactively block known phishing domains.
Type
Email Sender
Value/Pattern
Emails claiming to be from Rituals but originating from non-official domains (e.g., Gmail, Outlook.com).
Context / Where to look
Email metadata analysis.

Detection & Response

For Rituals Cosmetics, the response involved containing the intrusion, engaging third-party security experts, and notifying authorities and customers. This is a standard incident response playbook.

For affected customers and other organizations:

  1. Awareness: Inform employees about this breach. If they are Rituals customers, they should be extra vigilant about emails or messages they receive.
  2. Phishing Detection: Email security gateways should be on high alert for phishing campaigns that mention Rituals. Security teams should look for emails that combine the victim's name, address, and other PII to create a sense of legitimacy.
  3. Password Management: Advise users to never reuse passwords. If they used a common password on their Rituals account (even though passwords weren't breached), they should change it on any other site where it was used.
  4. Identity Monitoring: Affected individuals should consider using identity theft protection services to monitor for fraudulent use of their information.

Mitigation

For Rituals (and similar organizations):

  • Data Minimization: Only collect and store customer data that is absolutely necessary for business operations.
  • Access Control: Implement strict access controls and the principle of least privilege for databases containing PII. Use role-based access control (RBAC) to ensure only authorized personnel can access sensitive data.
  • Vulnerability Management: Continuously scan and remediate vulnerabilities in public-facing applications and APIs.
  • Data Encryption: Ensure sensitive data is encrypted both at rest and in transit.
  • Network Segmentation: Isolate databases containing PII from other parts of the network to limit the blast radius of a compromise.

For Affected Customers:

  • Be Skeptical: Treat all unsolicited communication claiming to be from Rituals with extreme caution. Do not click links or download attachments.
  • Verify Senders: Check the sender's email address to ensure it is from an official Rituals domain.
  • Enable MFA: Enable multi-factor authentication on all sensitive online accounts, especially email and banking.

Timeline of Events

1
April 22, 2026
Rituals Cosmetics begins notifying affected customers via email about the data breach.
2
April 23, 2026
This article was published

Article Updates

April 29, 2026

Severity increased

Rituals confirms up to 41 million customers affected, with preferred store locations also compromised.

Rituals Cosmetics has updated the estimated number of affected customers to up to 41 million, an increase from the previously reported 'over 40 million'. The newly disclosed compromised data now includes customers' preferred store locations, in addition to names, addresses, phone numbers, email, DOB, and gender. This expanded scope further heightens the risk of identity theft and targeted phishing campaigns for a larger number of individuals across the UK, Europe, and the U.S.

Update Sources:
vertexaisearch.cloud.google.comThe Week in Breach News: April 29, 2026 | Kaseya

Timeline of Events

1
April 22, 2026

Rituals Cosmetics begins notifying affected customers via email about the data breach.

Sources & References(when first published)

Luxury Cosmetics Giant Rituals Discloses Data Breach
securityweek.comApril 23, 2026
Cosmetics chain Rituals hit in latest Dutch cyber attack
dutchnews.nlApril 22, 2026
Rituals Confirms Customer Data Breach in Cosmetics Sector 2026
news.business20.comApril 22, 2026
Rituals Cosmetics Hit by Data Breach in Latest Cyber Attack
dutchbrief.comApril 22, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Customer DataData BreachGDPRPIIPhishingRetail

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.