What happened
According to public breach records, the HauteLook data breach on August 7, 2018 is reported to have exposed the personal information of 28,510,459 accounts.
In mid-2018, the fashion shopping site HauteLook was among a raft of sites that were breached and their data then sold in early-2019. The data included over 28 million unique email addresses alongside names, genders, dates of birth and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
Passwords in this breach were reportedly stored as bcrypt hashes.
In August 2018, online fashion retailer HauteLook had roughly 28.5 million user accounts compromised, exposing email addresses, names, genders, dates of birth, geographic locations, and bcrypt-hashed passwords. The stolen database surfaced in February 2019 when a single hacker listed it for sale on the Dream Market dark web marketplace as part of a larger batch of 16 breached sites totaling about 620 million accounts. Passwords were protected with bcrypt, a strong, computationally expensive hashing algorithm, rather than stored in plaintext or weaker hashes. ["Change your HauteLook password immediately, and change it anywhere else you reused the same password — though the passwords were bcrypt-hashed, that protection is not absolute, especially for weak or common passwords.", "Use a unique password for every account and enable two-factor authentication wherever it is offered, so a recovered password alone cannot unlock your other accounts.", "Treat email tied to this account as a phishing target: the leaked name, date of birth, and location make scam messages more convincing, so be skeptical of unsolicited emails asking you to log in or confirm details.", "Be cautious with services that use your date of birth as an identity check, since that detail was exposed and cannot be changed."]
What data was exposed
The following types of personal data were compromised:
- Dates of birth
- Email addresses
- Genders
- Geographic locations
- Names
- Passwords
Breach details
| Detail | Value |
|---|---|
| Breach name | HauteLook |
| Date | August 7, 2018 |
| Accounts affected | 28,510,459 |
| Domain | hautelook.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by HauteLook; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your HauteLook password immediately, and change it anywhere else you reused the same password — bcrypt hashing reduces but does not eliminate the risk, especially for weak or common passwords.
- Use a unique password per account and enable two-factor authentication wherever offered, so a recovered password alone cannot unlock your other accounts.
- Treat email tied to this account as a phishing target: the leaked name, date of birth, and location make scam messages more convincing, so be skeptical of unsolicited login or 'confirm your details' requests.
- Be cautious with any service that uses your date of birth as an identity check, since that detail was exposed and cannot be changed.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Have I Been Pwned: HauteLook Data Breach
- 620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts — The Register
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →