Sephora customers are reporting login issues in which they are accidentally given access to other users’ accounts.
This issue was noted on Reddit as recently as September. However, the issue appears to be becoming more pronounced as more users log onto the company’s site to take advantage of their Fall sale.
“Huge security breech!” reads one post on Reddit. “I’m logged in as another person! Something is seriously going wrong with Sephora right now.” In a comment, another user added, “I could see someone’s full order history and location.”
Now, a user on TikTok has sparked discussion after alleging they experienced the same issue.
“If you have a Sephora account, I need you to change your password right now,” says TikTok user @balancedbeautylover in a video with over 483,000 views as of Sunday.
@balancedbeautylover Major 🚩🚩🚩 and Sephora security issue. Check your account. Change your password. Protect your information and contact Sephora immediately if you see any changes. #sephora #sephorasale #accountsecurity #beauty #skintok ♬ original sound – BalancedBeautyLover
“I was logged into some random woman’s account in New York,” the TikToker says. “And I’m not talking about, ‘I logged in and maybe put in some wrong information’—I’m talking about, I just went to Sephora.com and was automatically logged into this woman’s account.”
“I could see her credit card information, I could see her address, her email address, what she was ordering,” the TikToker continues. “She was ordering something in real time as I was online!”
The video closes with the TikToker advising customers to check their information on the site and to change their passwords to prevent any malicious actors from taking control of their accounts.
While frequently changing passwords is good cybersecurity advice, it may not resolve the issue at hand, as users are reporting that they can access other users’ accounts without a password.
This problem is not unheard of in the world of cybersecurity. Last month, some T-Mobile customers reported that they were able to access other users’ accounts via the company’s app. T-Mobile claimed that the issue was the result of a “technology update” glitch and said that the problem was promptly resolved.
There has been no update from Sephora regarding this issue, though they have confirmed to numerous users on X (formerly Twitter) that their “teams are currently working to fix any issues on the app and website.”
In the comments section of the TikToker’s video, users shared a multitude of issues with the website, with many saying that they’ve decided to delete their personal and payment information from the site.
“Thanks. I changed it and deleted my card details to be safe,” a user said.
“Changed password and removed my card to be safe,” echoed another.
The Daily Dot reached out to the TikToker and Sephora via email.
Update 11:42am CT Oct. 30: In an email to the Daily Dot, the TikToker said that Sephora has not reached out to them about the issue beyond her initial interactions with customer service.
As for how it happened in the first place, she says that she does not know.
“It was so strange and abrupt,” the TikToker explained. “I thought someone had hacked into my account because it happened when I first went to their site and again when I refreshed the page.”
Dealing with this could be a lesson for Sephora, the TikToker said.
“I hope they focus more on their cyber security issues,” she wrote. “They capture a ton of data and data breaches should be their first priority considering the information they are collecting to personalize shoppers’ experience can be targeted and exploited.”