What Happened
In July 2018, fast-fashion retailer SHEIN (operated by Zoetop Business Company) suffered a data breach when malicious actors gained unauthorized access to its payment systems via malware, leading to the theft and exposure on the dark web of payment card data from customers, as well as personal details from 39 million accounts worldwide—including names, email addresses, city/province information, and weakly hashed (MD5 with minimal salting) passwords that were crackable—plus login credentials from nearly 7.3 million ROMWE accounts (also owned by Zoetop) likely stolen in the same incident. The breach was discovered in August 2018 after SHEIN’s payment processor was alerted by a credit card network and issuing bank about stolen card data for sale on hacking forums and related fraud alerts, prompting a forensic investigation that confirmed the intrusion but revealed Zoetop’s failures like lacking monitoring, PCI DSS non-compliance, and insecure logging of full card details. Zoetop inadequately responded by notifying only 6.4 million ordering customers (mainly in the US, Canada, and Europe) with misleading claims that minimized the scope and denied card data theft, delaying full password resets until 2020 after ROMWE credentials surfaced in plaintext, resulting in a $1.9 million fine from the New York Attorney General in 2022 for poor security, delayed disclosures, and deception.
