Dutch cosmetics giant Rituals has confirmed a data breach targeting its My Rituals loyalty program, with attackers gaining unauthorized access to personal records belonging to its 41-million-strong membership database. The breach was discovered in April 2026 and publicly disclosed on April 23.
The Rituals Data Breach: How It Happened
Rituals, the Amsterdam-based cosmetics brand operating over 1,400 retail boutiques across 33 countries, detected an unauthorized download of its loyalty membership database earlier in April. The My Rituals program offers members exclusive rewards, birthday gifts, and personalized discounts — and stores a significant volume of personal data to deliver those benefits. The company has initiated a forensic investigation, blocked the attacker's access, and notified the relevant data protection authorities. No cybercrime group has claimed responsibility for the breach, and Rituals stated it has yet to find evidence that the stolen data has been leaked online.
What Personal Data Was Stolen
According to Rituals' official disclosure, the following customer information was accessed by the attackers:
- Full name
- Email address
- Phone number
- Date of birth
- Gender
- Home address
- Preferred Rituals store and account type
The breach primarily affected members in Europe and the United Kingdom. Affected customers have been notified directly via email.
Passwords and Payment Details Were Not Exposed
Rituals confirmed that account passwords and payment card information were not part of the breached database. However, cybersecurity experts caution that the exposed combination of name, address, birth date, and contact details is more than sufficient for highly targeted phishing attacks and, in some cases, identity fraud. Permanent personal data of this kind cannot simply be reset the way a compromised password can.
Why Loyalty Breaches Are More Dangerous Than They Look
Data from loyalty programs is frequently underestimated as a threat vector. With 41 million records in play, the potential scale of follow-on attacks is substantial. Criminals can use this data to:
- Craft convincing phishing emails that reference your real name, home city, or loyalty account status
- Commit identity fraud, including fraudulent loan applications or document requests
- Target victims with SMS scams designed to look like official Rituals communications
- Combine with other leaked datasets to build detailed profiles for social engineering attacks
Cases like this highlight why everyday users - not just tech enthusiasts - are turning to VPNs as a basic layer of online protection, particularly when shopping or accessing membership accounts over public Wi-Fi.
What Affected Customers Should Do Now
- Stay alert for phishing emails that use your real name or reference your Rituals membership
- Do not click links in unexpected emails or SMS messages purportedly from Rituals
- Change your Rituals account password as a precaution, even though passwords were not directly stolen
- Enable two-factor authentication on your email account to reduce the impact of phishing attempts
- Watch for unusual activity on any account linked to the email address registered with Rituals
