DEV Community

Cover image for SHEIN.com Data Breach Analysis
BreachDirectory
BreachDirectory

Posted on • Originally published at breachdirectory.com

SHEIN.com Data Breach Analysis

Foreword

A women's fashion retailer SHEIN, also spelled SheIn, is a US-based online store that had apparently suffered a data breach somewhere in June 2018, but the company only discovered the breach in late August 2018. SHEIN stated that the intruders managed to gain access to customers' email addresses and encrypted passwords.

What data is at risk?

When the data breach was discovered, SHEIN stated that the hackers managed to gain access to email addresses and encrypted passwords that were stored in the system, but the leaked data does not contain any signs of encryption - it is likely that the passwords were decrypted before publishing the data.

Email addresses

In this data breach, there is a very wide array of email providers being used. Lets take a look:

# Email Domain Quantity
1 gmail.com 13,679,190
2 hotmail.com 4,019,832
3 Yahoo.com 2,192,258
4 icloud.com 729,539
5 HOTMAIL.FR 528,368
6 mail.ru 526,108
7 web.de 403,258
8 aol.com 401,925
9 outlook.com 318,435
10 hotmail.co.uk 313,180
11 gmx.de 297,622
12 orange.fr 226,573
13 yahoo.fr 195,841
14 yandex.ru 182,469
15 live.com 156,084
16 hotmail.de 131,248
17 hotmail.it 110,296
18 yahoo.de 106,191
19 yahoo.co.uk 104,798
20 live.fr 104,342
21 libero.it 102,292
22 googlemail.com 97,320
23 t-online.de 95,561
24 msn.com 94,348
25 laposte.net 85,934
26 comcast.net 84,970
27 hotmail.es 83,819
28 ymail.com 81,731
29 free.fr 73,624
30 outlook.fr 72,114
31 me.com 68,649
32 sfr.fr 68,064
33 wanadoo.fr 63,208
34 yahoo.com.tw 63,159
35 yahoo.es 57,809
36 live.co.uk 52,470
37 gamil.com 51,544
38 gmx.net 46,147
39 bk.ru 45,914
40 btinternet.com 44,002
41 gmail.con 43,782
42 sbcglobal.net 38,499
43 yahoo.it 38,245
44 freenet.de 37,974
45 att.net 37,381
46 yahoo.co.in 35,944
47 bigpond.com 33,423
48 wp.pl 32,642
49 live.de 31,715
50 live.it 31,586
51 mail.com 31,243
52 outlook.de 30,401
53 outlook.sa 30,082
54 list.ru 28,461
55 rambler.ru 28,223
56 rediffmail.com 26,302
57 inbox.ru 26,123
58 sky.com 26,116
59 neuf.fr 25,320
60 qq.com 25,123
61 rocketmail.com 24,858
62 yahoo.in 24,577
63 yahoo.com.au 24,125
64 verizon.net 24,023
65 windowslive.com 23,852
66 gmil.com 23,120
67 alice.it 20,452
68 hotmil.com 19,979
69 bellsouth.net 19,002
70 hotmail.con 18,627
71 cox.net 18,206
72 arcor.de 18,109
73 virgilio.it 18,080
74 aim.com 17,910
75 live.nl 17,908
76 live.com.au 17,629
77 gmai.com 16,991
78 yahoo.com.hk 16,093
79 outlook.es 16,037
80 bbox.fr 14,134
81 tiscali.it 13,796
82 seznam.cz 12,907
83 online.de 12,612
84 o2.pl 12,477
85 yahoo.com.br 12,295
86 email.com 12,278
87 outlook.it 11,201
88 live.com.mx 11,021
89 optonline.net 9,594
90 charter.net 9,006
91 interia.pl 8,947
92 yahoo.com.mx 8,857
93 mac.com 8,549
94 yahoo.ca 8,492
95 gmail.co 8,491
96 optusnet.com.au 8,306
97 abv.bg 7,984
98 ntlworld.com 7,926
99 live.se 7,674
100 ya.ru 7,624

The length of the chosen email addresses in this data breach also varies widely - if we take a range from the smallest number to the largest we can see that:

  • The smallest amount - 7 emails were more than or equal to 100 characters in length;
  • There's 11 emails which were less than or equal to 5 characters in length;
  • 13 emails which contained more than or equal to 90 characters in length;
  • 25 emails which contained more than or equal to 80 characters in length;
  • 117 emails which contained more than or equal to 70 characters in length;
  • 178 emails which contained more than or equal to 60 characters in length;
  • 385 emails which contained more than or equal to 50 characters in length;
  • 10,183 emails which contained more than or equal to 40 characters in length;
  • 16,755 emails which contained less than or equal to 10 characters in length;
  • 843,073 emails which contained more than or equal to 30 characters in length;
  • 9,848,312 emails which contained less than or equal to 20 characters in length;
  • 22,322,666 emails which contained more than or equal to 20 characters in length.

Looking at the top-level domains (TLDs), we can also create a list of countries that SheIn users were using the service from:

# Email Domain Quantity Purpose / Country
1 .com 17,699,022 Commercial / United States
2 .edu 1,813 Education
3 .net 85,934 Network Infrastructure
4 .de 403,258 Germany
5 .fr 754,941 France
6 .au 24,125 Australia
7 .it 110,296 Italy
8 .ru 526,108 Russia
9 .uk 313,180 United Kingdom
10 .es 83,819 Spain
11 .pl 45,119 Poland
12 .con 43,782 None, probably misspelled
13 .br 12,295 Brazil
14 .ca 8,492 Canada
15 .nl 17,908 The Netherlands
16 .mx 11,021 Mexico
17 .co 8,491 Colombia
18 .no 5,712 Norway
19 .be 2,130 Belgium
20 .in 35,944 India
21 .se 7,674 Sweden
22 .at 6,910 Austria
23 .ch 4,639 Switzerland
24 .dk 2,675 Denmark
25 .nz 2,321 New Zealand
26 .pt 2,243 Portugal
27 .ar 2,229 Argentina
28 .tw 63,159 Taiwan
29 .ae 1,532 United Arab Emyrates
30 .cz 12,907 Czech Republic
31 .cn 1,393 China
32 .bg 7,984 Bulgaria
33 .gr 4,178 Greece
34 .cim 3,815 None, probably misspelled
35 .ua 828 Ukraine
36 .hu 3,141 Hungary
37 .eu 2,393 European Union
38 .cm 1,945 None, probably misspelled
39 .sk 1,813 Slovakia
40 .sa 30,082 Saudi Arabia
41 .ie 1,496 Ireland
42 .ro 1,330 Romania
43 .fm 1,221 Federated States of Micronesia
44 .id 1,206 Indonesia
45 .cl 1,200 Chile
46 .om 1,188 Oman
47 .lv 6,980 Latvia
48 .comm 1,177 None, probably misspelled
49 .me 1,029 Montenegro
50 .qa 1,003 Qatar
51 .clm 853 None, probably misspelled
52 .fi 840 Finland
53 .ee 773 Estonia
54 .ph 2,847 The Philippines
55 .by 736 Belarus
56 .cpm 714 None, probably misspelled
57 .cat 703 Catalonia
58 .hr 699 Croatia
59 .XOM 621 None, probably misspelled
60 .fe 598 Footballia
61 .vn 2,206 Vietnam
62 .cok 586 None, probably misspelled
63 .il 2,202 Israel
64 .te 562 None, probably misspelled
65 .jp 1,928 Japan
66 .come 1,858 None, probably misspelled
67 .vom 1,615 None, probably misspelled
68 .hk 16,093 Hong Kong
69 .col 1,517 None, probably misspelled
70 .sg 1,464 Singapore

Here's the letters email addresses begin with. If the analysis is being run on a database with duplicates, the results show that there are 29,026,175 email addresses that begin with letters. The most popular letter is R followed by the letter A, which is followed by the letter S. Email addresses beginning with letters contain 99.05978747356848% of the entire user base:

# The letter an email address begins with Quantity
1 A 3,206,739
2 B 1,187,451
3 C 1,770,137
4 D 1,195,226
5 E 1,053,108
6 F 670,340
7 G 842,864
8 H 872,318
9 I 567,572
10 J 1,497,023
11 K 1,524,405
12 L 1,795,120
13 M 3,133,130
14 N 1,267,323
15 O 300,603
16 P 997,513
17 Q 56,536
18 R 1,308,177
19 S 3,101,369
20 T 1,007,586
21 U 107,682
22 V 635,428
23 W 293,056
24 X 96,957
25 Y 306,122
26 Z 232,390

Now that letters have been covered, we could also take a look at the numbers. It should be noted that email addresses beginning with numbers are much less prevalent than those beginning with letters. Combined, there are just 213,390 email addresses that begin with numbers - that's less than 1% of the entire user base. Email addresses beginning with numbers contain 0.7282519329186425% of the total entries in the SheIn data breach.

The number an email address begins with Quantity
0 17,052
1 63,972
2 39,719
3 17,427
4 11,964
5 9,447
6 8,266
7 15,081
8 14,165
9 16,337

0.2119605935128775% of the email addresses in the SheIn data breach did not start with any numbers or letters - that's exactly 62,108 accounts if we check the records against the database with duplicate entries or slightly more than 58,457 accounts if we check the records against the database without duplicate entries - the exact record count then would be 58,457.41329595996.

Passwords

There is a very interesting password distribution in the SheIn data breach - there are hundreds of different passwords that have been used by multiple different people. Of course, there are the ordinary combinations, but there are also thousands of passwords like "sheinside" potentially meaning that the users who chose such a password probably thought of it on-the-spot or "shein18" and "Shein2018", potentially meaning that the users created their accounts in 2018. There were also 293,688 users that used multiple empty spaces as their passwords. Here's the list:

# Password Quantity
1 290,394
2 123456 89,122
3 123456789 41,637
4 1234567890 22,968
5 12345678 20,673
6 Shein123 13,773
7 shopping 11,664
8 1234567 11,634
9 password 11,298
10 123123 11,155
11 aa123456 11,072
12 sheinside 10,063
13 shein 7,978
14 1234 7,297
15 12345 7,153
16 11223344 6,767
17 shein1 6,679
18 112233 5,874
19 0987654321 5,415
20 111111 5,281
21 1122334455 5,071
22 123321 4,781
23 Aa123123 4,742
24 qwerty 4,737
25 Shein2018 4,715
26 sheinshein 4,403
27 qwert 3,949
28 qwertyuiop 3,904
29 123123123 3,902
30 Aa112233 3,881
31 Aa11223344 3,785
32 1234512345 3,737
33 shein2017 3,682
34 onedirection 3,542
35 password1 3,473
36 iloveyou 3,295
37 3,294
38 qwer1234 3,156
39 12344321 3,086
40 azerty 2,979
41 12345678910 2,934
42 chocolate 2,920
43 motdepasse 2,885
44 abc123 2,784
45 sunshine 2,754
46 princess 2,745
47 asDF1234 2,662
48 asdfghjkl 2,586
49 000000 2,567
50 shein@123 2,554
51 shein.com 2,547
52 loulou 2,524
53 SheIn2016 2,522
54 Mm123456 2,515
55 1234554321 2,456
56 as123456 2,401
57 987654321 2,399
58 qwerty123 2,389
59 shein1234 2,381
60 justinbieber 2,363
61 112233445566 2,354
62 abcd1234 2,330
63 shopping1 2,329
64 chouchou 2,313
65 doudou 2,289
66 654321 2,276
67 passwort 2,267
68 hallo123 2,254
69 chocolat 2,246
70 121212 2,204
71 forever21 2,176
72 hellokitty 2,165
73 Aa12341234 2,126
74 ichliebedich 2,110
75 clothes 2,092
76 ss123456 2,024
77 fashion 1,934
78 incorrect 1,888
79 shopping123 1,881
80 Aa123456789 1,877
81 hello123 1,849
82 12345678900 1,842
83 soleil 1,778
84 12341234 1,766
85 charlotte 1,756
86 compras 1,735
87 michelle 1,715
88 11111111 1,707
89 butterfly 1,704
90 Rr123456 1,701
91 azertyuiop 1,661
92 shein18 1,651
93 sheinpassword 1,633
94 Password123 1,621
95 charlie 1,620
96 Aa1234567 1,618
97 zxcvbnm 1,600
98 20092012 1,592
99 123456aA 1,590
100 welcome1 1,586

It should also be noted that the system contained 3,294 one-character passwords meaning that it is probably safe to assume that SheIn did not implement many security rules to enforce password strength.

Judging by the passwords that the users chose, we can safely assume that the service has been in operation at least since 2015 and since then grown steadily - "shein2015" password has been chosen by 699 users, "shein2016" password has been chosen by 2,522 users, "shein2017" password has been chosen by 3,682 users and the "shein2018" password has been chosen by 4,715 users.

This allows us to make an assumption that the choices of year-based passwords grew by 1,823 users in 2016, by 1,160 users in 2017 and by 1,033 users in 2018. Average growth per year - 1338.666666666667 users who chose new year-based passwords, so we can assume that the service would have had approximately 2,372 new users who would have chosen new year-based passwords in 2019 and approximately 3,711 new users who would have chosen new year-based passwords in 2020.

More interesting password choices include one-character passwords like "&", "S", "43", and "(", the word "sonnenschein" has been used 1,356 times, "papillon" has been used 1,131 times, "1q2w3e4r5t" has been used 1,065 times and "ritinhasantos4" has been used 1,021 times.

We can also see that there are multiple passwords that have been used the same number of times - there are 73 of them:

# Password Quantity Password Repeat Times
1 estrella 1,001 2
2 00000 1,060 2
3 happy123 1,062 2
4 ; 1,095 2
5 Iloveshein 1,131 2
6 Aa1122334455 1,356 2
7 10203040 616 3
8 123456788 619 2
9 jesus123 625 2
10 999999 627 4
11 samantha1 631 2
12 123123AA 634 3
13 chicken 635 2
14 2 639 2
15 Computer 642 3
16 Aa100100 648 3
17 alessandro 649 3
18 Daisy123 652 4
19 lolipop 655 2
20 family 656 2
21 purple123 657 2
22 love2shop 666 3
23 ashley 667 2
24 monkey123 673 2
25 ( 676 2
26 justine 679 3
27 11223344556677 684 2
28 angela 692 2
29 123456789Aa 697 2
30 fuckyou 698 2
31 michelle1 699 2
32 224466 702 2
33 1234abcd 705 2
34 7654321 712 2
35 Mm11223344 715 2
36 123098 717 4
37 aa12345 718 3
38 131313 720 3
39 alessia 721 2
40 elizabeth1 724 2
41 beatrice 725 2
42 cooper 730 2
43 a1234567 731 2
44 buddy123 733 3
45 amandine 738 4
46 motherlode 739 2
47 090909 740 3
48 fatima 746 2
49 banana 751 2
50 hannah123 754 2
51 lovelove 757 2
52 barbie 759 2
53 88888888 773 2
54 asd123 779 3
55 asdfgh 783 2
56 112233445566778899 796 3
57 12121212 800 2
58 pepper 811 2
59 00000000 823 2
60 009988 824 3
61 aB123456 842 2
62 123456a 847 2
63 87654321 853 2
64 cocacola 860 2
65 coucou 874 2
66 123654 884 4
67 1 885 2
68 lalala 897 2
69 d 925 2
70 123455 952 2
71 Asd12345 964 2
72 marina 981 2
73 patricia 998 2

Best guess would be that these passwords were created by users who had more than one account in the system and thus, the times passwords repeated would match the count of multiple accounts the user had.

Apart from this, there are also a lot of passwords that begin with alphabetical letters and numbers. Here is the list of passwords that begin with letters:

# The letter the password begins with Quantity
1 A 1,992,010
2 B 1,298,884
3 C 1,455,374
4 D 964,988
5 E 710,719
6 F 803,599
7 G 789,006
8 H 887,892
9 I 660,077
10 J 978,300
11 K 906,390
12 L 1,342,680
13 M 2,109,455
14 N 904,379
15 O 458,681
16 P 1,213,355
17 Q 349,112
18 R 940,811
19 S 2,286,583
20 T 955,001
21 U 289,858
22 V 536,327
23 W 492,077
24 X 255,748
25 Y 381,001
26 Z 391,859

Here is the list of passwords that begin with numbers:

The number the password begins with Quantity
0 656,343
1 1,423,879
2 613,947
3 299,329
4 236,096
5 231,729
6 232,289
7 235,043
8 247,879
9 341,314

In the data dump there are 408,406 passwords that are less than or equal to 5 characters in length, 20,919,888 passwords that are less than or equal to 10 characters in length, 29,187,461 passwords that are less than or equal to 20 characters in length, 65,519 passwords that are more than or equal to 20 characters in length, 40,642 passwords that are more than or equal to 30 characters in length. There are even passwords that are more than or equal to 40 characters in length - the total count of such passwords is 48. It is very likely that the passwords that are more than or equal to 20 characters in length were generated by password managers.

Summary

To summarize, the SheIn data breach, although relatively small compared to the bigger ones, did bring a lot of damage to the company and to its customers. The good thing is that SheIn notified all of their customers that their data is at risk - they also collaborated with cybersecurity investigators who monitored the network and tried to ensure that future data breaches can be prevented.

Top comments (0)