Cosmetics giant Rituals discloses data breach affecting customers

Dutch cosmetics giant Rituals disclosed a data breach after attackers stole the personal information of an undisclosed number of customers from its "My Rituals" membership database.

The company revealed the security incident in a Wednesday notice, saying that the breach was discovered earlier this month after it was alerted to unauthorized downloads of its members' data.

Rituals has notified relevant authorities of the incident and has since contained the breach by blocking the attackers' access. It also added that it has yet to find evidence that the stolen information has been leaked online.

"The personal data involved (to the extent you have shared it with us) may include full name, email address, phone number, date of birth, gender, home address. We can confirm that no passwords or payment information were accessed," Rituals said.

"We have initiated an in-depth forensic investigation to understand how this happened and what measures we can take to prevent a similar incident in the future. We have also reported it to the relevant authorities."

The company says the data breach affects members of its My Rituals loyalty program, which offers exclusive rewards, gift-with-purchase benefits, and birthday gifts.

While Rituals has not shared how many customers have been affected by this data breach, the company says its My Rituals has over 41 million members. TechCrunch, which first reported the incident, said Rituals also notified some customers in the United States.

Rituals has yet to disclose the nature of the cyberattack, and no cybercrime groups or threat actors have claimed responsibility for the breach.

Founded in 2000 in Amsterdam, Netherlands, Rituals now has over 12,000 employees worldwide and reported €2.4 billion in revenue in 2025. Rituals also operates more than 1,400 retail boutiques and just over 4,800 luxury perfumeries and department stores across 33 countries.

BleepingComputer reached out to a Rituals spokesperson with additional questions about the incident, but a response was not immediately available.