Rituals Has 41 Million Members in Its Loyalty Program—Hackers Just Downloaded Their Personal Data

What Happened

Rituals, the Amsterdam based luxury cosmetics brand with over 1,400 boutiques across 33 countries, confirmed on April 22 that hackers stole personal data from its My Rituals loyalty program. The company discovered the breach earlier in April after an external party flagged unauthorized downloads from its membership database.

Rituals blocked the attackers' access and launched a forensic investigation, but has not disclosed the nature of the attack, named the responsible threat actor, or provided any timeline of how long the intruders had access. No cybercrime group has publicly claimed the attack.

The company, which generated €2.4 billion in revenue in 2025, has notified the relevant data protection authorities and is contacting affected members directly.

What Data Was Taken

The stolen data includes full names, email addresses, phone numbers, dates of birth, gender, home addresses, preferred store locations, and account types. Rituals says no passwords or payment information were accessed.

That sounds reassuring until you think about what was taken. A name, email, home address, phone number, and date of birth is more than enough to open fraudulent accounts, file fake tax returns, or craft phishing messages that look like they were written by someone who knows you. Date of birth alone is a common identity verification question at banks and insurance companies.

The preferred store location data is unusual. It tells an attacker where you physically shop, which enables a category of scam that most breaches do not: localized phishing. An email referencing your specific Rituals store in Amsterdam, Milan, or London is far more convincing than a generic blast.

The Number Rituals Will Not Share

Rituals has 41 million members in its loyalty program. The company will not say how many of them were in the breach, citing "security reasons."

That is a significant omission. Under the GDPR, companies operating in Europe are required to notify individuals whose data was compromised. Rituals says it is contacting affected customers directly, which means the company does know the number. It is choosing not to share it publicly.

When a company with 41 million members refuses to quantify a breach, the silence itself communicates something. If the number were small, there would be every incentive to say so. The refusal to disclose suggests either the investigation is still determining the scope, or the number is large enough that the company is managing the disclosure carefully.

Rituals also declined to say whether the attackers made a ransom demand, which adds another layer of uncertainty for affected members.

A Pattern of Retail Breaches

Rituals is the latest in a series of major retail breaches in 2026. In the past month alone, UK grocery chain Co-op and department store Marks & Spencer both confirmed breaches linked to the DragonForce cybercriminal syndicate. Luxury retailer Harrods was also targeted.

The common thread is loyalty programs. Retailers have spent years building massive databases of customer information to power personalized marketing and repeat purchases. Those same databases are now the primary target. Last month, Basic-Fit lost one million gym members' bank details in an attack that was over in minutes. A loyalty program that stores your name, email, address, phone number, and shopping preferences is essentially a phishing kit waiting to be stolen.

The retail sector collected this data to send you marketing emails and personalized offers. Attackers now have the same data to send you phishing emails and personalized scams.

What Affected Members Should Do

If you are a My Rituals member, treat every email that mentions Rituals, your loyalty account, or your recent purchases with skepticism. Attackers who have your name, email, and store location can craft messages that look exactly like legitimate Rituals communications.

• Change your Rituals password now and any other account where you reused the same email and password combination. Rituals says passwords were not taken, but credential stuffing attacks that pair your leaked email with passwords from other breaches are likely.
• Watch for identity fraud. Your name, date of birth, and home address are the core inputs for identity theft. Consider a credit monitoring service if you are in a region where they are available.
• Do not click links in emails claiming to be from Rituals. Go directly to the Rituals website or app instead. Phishing campaigns following major breaches typically begin within days.
• Be suspicious of phone calls. Your phone number was in the breach. Vishing attacks that reference your Rituals membership will sound legitimate because the caller will have real details about you.

Rituals says there is no evidence the stolen data has been leaked publicly. That is the status today. It does not guarantee what happens tomorrow, especially if a ransom demand was made and refused.

The Bigger Problem With Loyalty Programs

Every retailer wants you to sign up for a loyalty program. The value proposition is simple: give us your personal details and we will give you discounts and rewards. What they rarely explain is that they are building a database that becomes a target the moment it reaches meaningful scale.

Forty one million records is a massive collection of personal information. When you hand over your name, birthday, home address, and email to a cosmetics company, you are trusting that their security is strong enough to protect data that, in the wrong hands, can be used against you for years.

The Rituals breach is a reminder that the cost of a loyalty discount is your personal data, and that data does not expire when the promotion ends.