Foreword
A women’s fashion retailer SHEIN, also spelled SheIn, is a US-based online store that had apparently suffered a data breach somewhere in June 2018, but the company only discovered the breach in late August 2018. SHEIN stated that the intruders managed to gain access to customers’ email addresses and encrypted passwords.
What data is at risk?
When the data breach was discovered, SHEIN stated that the hackers managed to gain access to email addresses and encrypted passwords that were stored in the system, but the leaked data does not contain any signs of encryption – it is likely that the passwords were decrypted before publishing the data.
Email addresses
In this data breach, there is a very wide array of email providers being used. Lets take a look:
# | Email Domain | Quantity |
---|---|---|
1 | gmail.com | 13,679,190 |
2 | hotmail.com | 4,019,832 |
3 | Yahoo.com | 2,192,258 |
4 | icloud.com | 729,539 |
5 | HOTMAIL.FR | 528,368 |
6 | mail.ru | 526,108 |
7 | web.de | 403,258 |
8 | aol.com | 401,925 |
9 | outlook.com | 318,435 |
10 | hotmail.co.uk | 313,180 |
11 | gmx.de | 297,622 |
12 | orange.fr | 226,573 |
13 | yahoo.fr | 195,841 |
14 | yandex.ru | 182,469 |
15 | live.com | 156,084 |
16 | hotmail.de | 131,248 |
17 | hotmail.it | 110,296 |
18 | yahoo.de | 106,191 |
19 | yahoo.co.uk | 104,798 |
20 | live.fr | 104,342 |
21 | libero.it | 102,292 |
22 | googlemail.com | 97,320 |
23 | t-online.de | 95,561 |
24 | msn.com | 94,348 |
25 | laposte.net | 85,934 |
26 | comcast.net | 84,970 |
27 | hotmail.es | 83,819 |
28 | ymail.com | 81,731 |
29 | free.fr | 73,624 |
30 | outlook.fr | 72,114 |
31 | me.com | 68,649 |
32 | sfr.fr | 68,064 |
33 | wanadoo.fr | 63,208 |
34 | yahoo.com.tw | 63,159 |
35 | yahoo.es | 57,809 |
36 | live.co.uk | 52,470 |
37 | gamil.com | 51,544 |
38 | gmx.net | 46,147 |
39 | bk.ru | 45,914 |
40 | btinternet.com | 44,002 |
41 | gmail.con | 43,782 |
42 | sbcglobal.net | 38,499 |
43 | yahoo.it | 38,245 |
44 | freenet.de | 37,974 |
45 | att.net | 37,381 |
46 | yahoo.co.in | 35,944 |
47 | bigpond.com | 33,423 |
48 | wp.pl | 32,642 |
49 | live.de | 31,715 |
50 | live.it | 31,586 |
51 | mail.com | 31,243 |
52 | outlook.de | 30,401 |
53 | outlook.sa | 30,082 |
54 | list.ru | 28,461 |
55 | rambler.ru | 28,223 |
56 | rediffmail.com | 26,302 |
57 | inbox.ru | 26,123 |
58 | sky.com | 26,116 |
59 | neuf.fr | 25,320 |
60 | qq.com | 25,123 |
61 | rocketmail.com | 24,858 |
62 | yahoo.in | 24,577 |
63 | yahoo.com.au | 24,125 |
64 | verizon.net | 24,023 |
65 | windowslive.com | 23,852 |
66 | gmil.com | 23,120 |
67 | alice.it | 20,452 |
68 | hotmil.com | 19,979 |
69 | bellsouth.net | 19,002 |
70 | hotmail.con | 18,627 |
71 | cox.net | 18,206 |
72 | arcor.de | 18,109 |
73 | virgilio.it | 18,080 |
74 | aim.com | 17,910 |
75 | live.nl | 17,908 |
76 | live.com.au | 17,629 |
77 | gmai.com | 16,991 |
78 | yahoo.com.hk | 16,093 |
79 | outlook.es | 16,037 |
80 | bbox.fr | 14,134 |
81 | tiscali.it | 13,796 |
82 | seznam.cz | 12,907 |
83 | online.de | 12,612 |
84 | o2.pl | 12,477 |
85 | yahoo.com.br | 12,295 |
86 | email.com | 12,278 |
87 | outlook.it | 11,201 |
88 | live.com.mx | 11,021 |
89 | optonline.net | 9,594 |
90 | charter.net | 9,006 |
91 | interia.pl | 8,947 |
92 | yahoo.com.mx | 8,857 |
93 | mac.com | 8,549 |
94 | yahoo.ca | 8,492 |
95 | gmail.co | 8,491 |
96 | optusnet.com.au | 8,306 |
97 | abv.bg | 7,984 |
98 | ntlworld.com | 7,926 |
99 | live.se | 7,674 |
100 | ya.ru | 7,624 |
The length of the chosen email addresses in this data breach also varies widely – if we take a range from the smallest number to the largest we can see that:
- The smallest amount – 7 emails were more than or equal to 100 characters in length;
- There’s 11 emails which were less than or equal to 5 characters in length;
- 13 emails which contained more than or equal to 90 characters in length;
- 25 emails which contained more than or equal to 80 characters in length;
- 117 emails which contained more than or equal to 70 characters in length;
- 178 emails which contained more than or equal to 60 characters in length;
- 385 emails which contained more than or equal to 50 characters in length;
- 10,183 emails which contained more than or equal to 40 characters in length;
- 16,755 emails which contained less than or equal to 10 characters in length;
- 843,073 emails which contained more than or equal to 30 characters in length;
- 9,848,312 emails which contained less than or equal to 20 characters in length;
- 22,322,666 emails which contained more than or equal to 20 characters in length.
Looking at the top-level domains (TLDs), we can also create a list of countries that SheIn users were using the service from:
# | Email Domain | Quantity | Purpose / Country |
---|---|---|---|
1 | .com | 17,699,022 | Commercial / United States |
2 | .edu | 1,813 | Education |
3 | .net | 85,934 | Network Infrastructure |
4 | .de | 403,258 | Germany |
5 | .fr | 754,941 | France |
6 | .au | 24,125 | Australia |
7 | .it | 110,296 | Italy |
8 | .ru | 526,108 | Russia |
9 | .uk | 313,180 | United Kingdom |
10 | .es | 83,819 | Spain |
11 | .pl | 45,119 | Poland |
12 | .con | 43,782 | None, probably misspelled |
13 | .br | 12,295 | Brazil |
14 | .ca | 8,492 | Canada |
15 | .nl | 17,908 | The Netherlands |
16 | .mx | 11,021 | Mexico |
17 | .co | 8,491 | Colombia |
18 | .no | 5,712 | Norway |
19 | .be | 2,130 | Belgium |
20 | .in | 35,944 | India |
21 | .se | 7,674 | Sweden |
22 | .at | 6,910 | Austria |
23 | .ch | 4,639 | Switzerland |
24 | .dk | 2,675 | Denmark |
25 | .nz | 2,321 | New Zealand |
26 | .pt | 2,243 | Portugal |
27 | .ar | 2,229 | Argentina |
28 | .tw | 63,159 | Taiwan |
29 | .ae | 1,532 | United Arab Emyrates |
30 | .cz | 12,907 | Czech Republic |
31 | .cn | 1,393 | China |
32 | .bg | 7,984 | Bulgaria |
33 | .gr | 4,178 | Greece |
34 | .cim | 3,815 | None, probably misspelled |
35 | .ua | 828 | Ukraine |
36 | .hu | 3,141 | Hungary |
37 | .eu | 2,393 | European Union |
38 | .cm | 1,945 | None, probably misspelled |
39 | .sk | 1,813 | Slovakia |
40 | .sa | 30,082 | Saudi Arabia |
41 | .ie | 1,496 | Ireland |
42 | .ro | 1,330 | Romania |
43 | .fm | 1,221 | Federated States of Micronesia |
44 | .id | 1,206 | Indonesia |
45 | .cl | 1,200 | Chile |
46 | .om | 1,188 | Oman |
47 | .lv | 6,980 | Latvia |
48 | .comm | 1,177 | None, probably misspelled |
49 | .me | 1,029 | Montenegro |
50 | .qa | 1,003 | Qatar |
51 | .clm | 853 | None, probably misspelled |
52 | .fi | 840 | Finland |
53 | .ee | 773 | Estonia |
54 | .ph | 2,847 | The Philippines |
55 | .by | 736 | Belarus |
56 | .cpm | 714 | None, probably misspelled |
57 | .cat | 703 | Catalonia |
58 | .hr | 699 | Croatia |
59 | .XOM | 621 | None, probably misspelled |
60 | .fe | 598 | Footballia |
61 | .vn | 2,206 | Vietnam |
62 | .cok | 586 | None, probably misspelled |
63 | .il | 2,202 | Israel |
64 | .te | 562 | None, probably misspelled |
65 | .jp | 1,928 | Japan |
66 | .come | 1,858 | None, probably misspelled |
67 | .vom | 1,615 | None, probably misspelled |
68 | .hk | 16,093 | Hong Kong |
69 | .col | 1,517 | None, probably misspelled |
70 | .sg | 1,464 | Singapore |
Here’s the letters email addresses begin with. If the analysis is being run on a database with duplicates, the results show that there are 29,026,175 email addresses that begin with letters. The most popular letter is R followed by the letter A, which is followed by the letter S. Email addresses beginning with letters contain 99.05978747356848% of the entire user base:
# | The letter an email address begins with | Quantity |
---|---|---|
1 | A | 3,206,739 |
2 | B | 1,187,451 |
3 | C | 1,770,137 |
4 | D | 1,195,226 |
5 | E | 1,053,108 |
6 | F | 670,340 |
7 | G | 842,864 |
8 | H | 872,318 |
9 | I | 567,572 |
10 | J | 1,497,023 |
11 | K | 1,524,405 |
12 | L | 1,795,120 |
13 | M | 3,133,130 |
14 | N | 1,267,323 |
15 | O | 300,603 |
16 | P | 997,513 |
17 | Q | 56,536 |
18 | R | 1,308,177 |
19 | S | 3,101,369 |
20 | T | 1,007,586 |
21 | U | 107,682 |
22 | V | 635,428 |
23 | W | 293,056 |
24 | X | 96,957 |
25 | Y | 306,122 |
26 | Z | 232,390 |
Now that letters have been covered, we could also take a look at the numbers. It should be noted that email addresses beginning with numbers are much less prevalent than those beginning with letters. Combined, there are just 213,390 email addresses that begin with numbers – that’s less than 1% of the entire user base. Email addresses beginning with numbers contain 0.7282519329186425% of the total entries in the SheIn data breach.
The number an email address begins with | Quantity |
---|---|
0 | 17,052 |
1 | 63,972 |
2 | 39,719 |
3 | 17,427 |
4 | 11,964 |
5 | 9,447 |
6 | 8,266 |
7 | 15,081 |
8 | 14,165 |
9 | 16,337 |
0.2119605935128775% of the email addresses in the SheIn data breach did not start with any numbers or letters – that’s exactly 62,108 accounts if we check the records against the database with duplicate entries or slightly more than 58,457 accounts if we check the records against the database without duplicate entries – the exact record count then would be 58,457.41329595996.
Passwords
There is a very interesting password distribution in the SheIn data breach – there are hundreds of different passwords that have been used by multiple different people. Of course, there are the ordinary combinations, but there are also thousands of passwords like “sheinside” potentially meaning that the users who chose such a password probably thought of it on-the-spot or “shein18” and “Shein2018”, potentially meaning that the users created their accounts in 2018. There were also 293,688 users that used multiple empty spaces as their passwords. Here’s the list:
# | Password | Quantity |
---|---|---|
1 | 290,394 | |
2 | 123456 | 89,122 |
3 | 123456789 | 41,637 |
4 | 1234567890 | 22,968 |
5 | 12345678 | 20,673 |
6 | Shein123 | 13,773 |
7 | shopping | 11,664 |
8 | 1234567 | 11,634 |
9 | password | 11,298 |
10 | 123123 | 11,155 |
11 | aa123456 | 11,072 |
12 | sheinside | 10,063 |
13 | shein | 7,978 |
14 | 1234 | 7,297 |
15 | 12345 | 7,153 |
16 | 11223344 | 6,767 |
17 | shein1 | 6,679 |
18 | 112233 | 5,874 |
19 | 0987654321 | 5,415 |
20 | 111111 | 5,281 |
21 | 1122334455 | 5,071 |
22 | 123321 | 4,781 |
23 | Aa123123 | 4,742 |
24 | qwerty | 4,737 |
25 | Shein2018 | 4,715 |
26 | sheinshein | 4,403 |
27 | qwert | 3,949 |
28 | qwertyuiop | 3,904 |
29 | 123123123 | 3,902 |
30 | Aa112233 | 3,881 |
31 | Aa11223344 | 3,785 |
32 | 1234512345 | 3,737 |
33 | shein2017 | 3,682 |
34 | onedirection | 3,542 |
35 | password1 | 3,473 |
36 | iloveyou | 3,295 |
37 | 3,294 | |
38 | qwer1234 | 3,156 |
39 | 12344321 | 3,086 |
40 | azerty | 2,979 |
41 | 12345678910 | 2,934 |
42 | chocolate | 2,920 |
43 | motdepasse | 2,885 |
44 | abc123 | 2,784 |
45 | sunshine | 2,754 |
46 | princess | 2,745 |
47 | asDF1234 | 2,662 |
48 | asdfghjkl | 2,586 |
49 | 000000 | 2,567 |
50 | shein@123 | 2,554 |
51 | shein.com | 2,547 |
52 | loulou | 2,524 |
53 | SheIn2016 | 2,522 |
54 | Mm123456 | 2,515 |
55 | 1234554321 | 2,456 |
56 | as123456 | 2,401 |
57 | 987654321 | 2,399 |
58 | qwerty123 | 2,389 |
59 | shein1234 | 2,381 |
60 | justinbieber | 2,363 |
61 | 112233445566 | 2,354 |
62 | abcd1234 | 2,330 |
63 | shopping1 | 2,329 |
64 | chouchou | 2,313 |
65 | doudou | 2,289 |
66 | 654321 | 2,276 |
67 | passwort | 2,267 |
68 | hallo123 | 2,254 |
69 | chocolat | 2,246 |
70 | 121212 | 2,204 |
71 | forever21 | 2,176 |
72 | hellokitty | 2,165 |
73 | Aa12341234 | 2,126 |
74 | ichliebedich | 2,110 |
75 | clothes | 2,092 |
76 | ss123456 | 2,024 |
77 | fashion | 1,934 |
78 | incorrect | 1,888 |
79 | shopping123 | 1,881 |
80 | Aa123456789 | 1,877 |
81 | hello123 | 1,849 |
82 | 12345678900 | 1,842 |
83 | soleil | 1,778 |
84 | 12341234 | 1,766 |
85 | charlotte | 1,756 |
86 | compras | 1,735 |
87 | michelle | 1,715 |
88 | 11111111 | 1,707 |
89 | butterfly | 1,704 |
90 | Rr123456 | 1,701 |
91 | azertyuiop | 1,661 |
92 | shein18 | 1,651 |
93 | sheinpassword | 1,633 |
94 | Password123 | 1,621 |
95 | charlie | 1,620 |
96 | Aa1234567 | 1,618 |
97 | zxcvbnm | 1,600 |
98 | 20092012 | 1,592 |
99 | 123456aA | 1,590 |
100 | welcome1 | 1,586 |
It should also be noted that the system contained 3,294 one-character passwords meaning that it is probably safe to assume that SheIn did not implement many security rules to enforce password strength.
Judging by the passwords that the users chose, we can safely assume that the service has been in operation at least since 2015 and since then grown steadily – “shein2015” password has been chosen by 699 users, “shein2016” password has been chosen by 2,522 users, “shein2017” password has been chosen by 3,682 users and the “shein2018” password has been chosen by 4,715 users.
This allows us to make an assumption that the choices of year-based passwords grew by 1,823 users in 2016, by 1,160 users in 2017 and by 1,033 users in 2018. Average growth per year – 1338.666666666667 users who chose new year-based passwords, so we can assume that the service would have had approximately 2,372 new users who would have chosen new year-based passwords in 2019 and approximately 3,711 new users who would have chosen new year-based passwords in 2020.
More interesting password choices include one-character passwords like “&”, “S”, “43”, and “(“, the word “sonnenschein” has been used 1,356 times, “papillon” has been used 1,131 times, “1q2w3e4r5t” has been used 1,065 times and “ritinhasantos4” has been used 1,021 times.
We can also see that there are multiple passwords that have been used the same number of times – there are 73 of them:
# | Password | Quantity | Password Repeat Times |
---|---|---|---|
1 | estrella | 1,001 | 2 |
2 | 00000 | 1,060 | 2 |
3 | happy123 | 1,062 | 2 |
4 | ; | 1,095 | 2 |
5 | Iloveshein | 1,131 | 2 |
6 | Aa1122334455 | 1,356 | 2 |
7 | 10203040 | 616 | 3 |
8 | 123456788 | 619 | 2 |
9 | jesus123 | 625 | 2 |
10 | 999999 | 627 | 4 |
11 | samantha1 | 631 | 2 |
12 | 123123AA | 634 | 3 |
13 | chicken | 635 | 2 |
14 | 2 | 639 | 2 |
15 | Computer | 642 | 3 |
16 | Aa100100 | 648 | 3 |
17 | alessandro | 649 | 3 |
18 | Daisy123 | 652 | 4 |
19 | lolipop | 655 | 2 |
20 | family | 656 | 2 |
21 | purple123 | 657 | 2 |
22 | love2shop | 666 | 3 |
23 | ashley | 667 | 2 |
24 | monkey123 | 673 | 2 |
25 | ( | 676 | 2 |
26 | justine | 679 | 3 |
27 | 11223344556677 | 684 | 2 |
28 | angela | 692 | 2 |
29 | 123456789Aa | 697 | 2 |
30 | fuckyou | 698 | 2 |
31 | michelle1 | 699 | 2 |
32 | 224466 | 702 | 2 |
33 | 1234abcd | 705 | 2 |
34 | 7654321 | 712 | 2 |
35 | Mm11223344 | 715 | 2 |
36 | 123098 | 717 | 4 |
37 | aa12345 | 718 | 3 |
38 | 131313 | 720 | 3 |
39 | alessia | 721 | 2 |
40 | elizabeth1 | 724 | 2 |
41 | beatrice | 725 | 2 |
42 | cooper | 730 | 2 |
43 | a1234567 | 731 | 2 |
44 | buddy123 | 733 | 3 |
45 | amandine | 738 | 4 |
46 | motherlode | 739 | 2 |
47 | 090909 | 740 | 3 |
48 | fatima | 746 | 2 |
49 | banana | 751 | 2 |
50 | hannah123 | 754 | 2 |
51 | lovelove | 757 | 2 |
52 | barbie | 759 | 2 |
53 | 88888888 | 773 | 2 |
54 | asd123 | 779 | 3 |
55 | asdfgh | 783 | 2 |
56 | 112233445566778899 | 796 | 3 |
57 | 12121212 | 800 | 2 |
58 | pepper | 811 | 2 |
59 | 00000000 | 823 | 2 |
60 | 009988 | 824 | 3 |
61 | aB123456 | 842 | 2 |
62 | 123456a | 847 | 2 |
63 | 87654321 | 853 | 2 |
64 | cocacola | 860 | 2 |
65 | coucou | 874 | 2 |
66 | 123654 | 884 | 4 |
67 | 1 | 885 | 2 |
68 | lalala | 897 | 2 |
69 | d | 925 | 2 |
70 | 123455 | 952 | 2 |
71 | Asd12345 | 964 | 2 |
72 | marina | 981 | 2 |
73 | patricia | 998 | 2 |
Best guess would be that these passwords were created by users who had more than one account in the system and thus, the times passwords repeated would match the count of multiple accounts the user had.
Apart from this, there are also a lot of passwords that begin with alphabetical letters and numbers. Here is the list of passwords that begin with letters:
# | The letter the password begins with | Quantity |
---|---|---|
1 | A | 1,992,010 |
2 | B | 1,298,884 |
3 | C | 1,455,374 |
4 | D | 964,988 |
5 | E | 710,719 |
6 | F | 803,599 |
7 | G | 789,006 |
8 | H | 887,892 |
9 | I | 660,077 |
10 | J | 978,300 |
11 | K | 906,390 |
12 | L | 1,342,680 |
13 | M | 2,109,455 |
14 | N | 904,379 |
15 | O | 458,681 |
16 | P | 1,213,355 |
17 | Q | 349,112 |
18 | R | 940,811 |
19 | S | 2,286,583 |
20 | T | 955,001 |
21 | U | 289,858 |
22 | V | 536,327 |
23 | W | 492,077 |
24 | X | 255,748 |
25 | Y | 381,001 |
26 | Z | 391,859 |
Here is the list of passwords that begin with numbers:
The number the password begins with | Quantity |
---|---|
0 | 656,343 |
1 | 1,423,879 |
2 | 613,947 |
3 | 299,329 |
4 | 236,096 |
5 | 231,729 |
6 | 232,289 |
7 | 235,043 |
8 | 247,879 |
9 | 341,314 |
In the data dump there are 408,406 passwords that are less than or equal to 5 characters in length, 20,919,888 passwords that are less than or equal to 10 characters in length, 29,187,461 passwords that are less than or equal to 20 characters in length, 65,519 passwords that are more than or equal to 20 characters in length, 40,642 passwords that are more than or equal to 30 characters in length. There are even passwords that are more than or equal to 40 characters in length – the total count of such passwords is 48. It is very likely that the passwords that are more than or equal to 20 characters in length were generated by password managers.
Summary
To summarize, the SheIn data breach, although relatively small compared to the bigger ones, did bring a lot of damage to the company and to its customers. The good thing is that SheIn notified all of their customers that their data is at risk – they also collaborated with cybersecurity investigators who monitored the network and tried to ensure that future data breaches can be prevented.