RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: rituals (1 article)Clear
breach
2026-04-23

Dutch cosmetics giant Rituals discloses 'My Rituals' membership database breach

Rituals, the Amsterdam-headquartered cosmetics and home fragrance retailer with roughly 1,000 stores across Europe, the Middle East, and North America, disclosed on April 23 that attackers stole personal information from its 'My Rituals' membership database. The company has not yet said how many members were affected, only that 'personal information' was exfiltrated. No payment card data is reported to have been compromised. Rituals' membership program collects name, email, postal address, and purchase history to drive a loyalty and personalization program, so the exposed fields are ideal material for branded-lookalike phishing and physical-mail fraud referencing real past purchases. The company says it has informed Dutch data protection regulator Autoriteit Persoonsgegevens and is working with an external incident response firm. Rituals did not attribute the breach to a named group and has not described the initial access vector; the disclosure follows a wider April 2026 pattern in which loyalty and membership databases are repeatedly showing up as soft targets for extortion actors looking for PII-heavy datasets.

ritualsloyalty-breacheuropegdprphishing-riskretail
Check
If your staff or customers subscribe to Rituals memberships (especially in Europe where store density is highest) brief them that loyalty-themed phishing is likely to follow and add rituals.com lookalike domains to your brand monitoring watchlist.
Affected
Anyone with a 'My Rituals' loyalty membership. Businesses that have ever used Rituals for corporate gifting and stored staff contact details in the member account. Organizations with marketing-driven email collection at Rituals store counters for staff-appreciation programs.
Fix
Monitor phishing tags for any message claiming to be from Rituals or a Rituals partner. If your organization collected staff contact details through a Rituals-branded corporate gifting campaign, notify those staff proactively. Add rituals-[typo].com lookalikes to DMARC reporting and to your brand-monitoring ruleset. Rotate any password that was reused between a My Rituals account and another service. For European users, watch for follow-up notifications from Autoriteit Persoonsgegevens once the breach scope is confirmed, and keep the 90-day GDPR clock in mind for your own records of any shared data.