Company traces compromise to vulnerability in payment processor’s systems

Japanese beauty retailer Acro blames third-party hack for breach of 100k payment cards

A data breach disclosed by a Japanese e-commerce company has exposed the details of more than 100,000 payment cards.

In a data breach notice (in Japanese), beauty products retailer Acro revealed that customers of two of its four beauty product websites were impacted as the result of exploitation of a vulnerability in a third-party payment processing vendor.

The attack, it added, compromised data related to 89,295 payment cards used to pay for goods on the Three Cosmetics domain and 103,935 cards used on its Amplitude site.

Read more of the latest data breach news

Victims potentially include anyone who made purchases on either of the two sites between May 21, 2020, and August 18, 2021.

The stolen data apparently included cardholder names, payment card numbers, dates of expiry, and security codes.

It’s also possible that some usernames and passwords may have been leaked, said Acro.


A timeline of the Acro data breach and ensuing investigation begins with suspicions being raised of a compromise on August 20, 2021, followed by all four of the company’s sites being taken offline on August 21, 2021.

A third-party investigation began on August 24 and established certain details about the leak on October 22.

The breach was subsequently reported to law enforcement and Japan’s Personal Information Protection Commission.

YOU MIGHT ALSO LIKE Chrome Skype extension with 9m installs found to be leaking user info

The retailer said it started notifying affected customers by email from February 24. Potential victims have been urged to monitor their financial statements for suspicious activity and reset passwords on vulnerable online accounts.

Acro apologized to customers about the breach and promised to bolster its cybersecurity based on the investigation’s conclusions, including by relaunching its websites and taking measures to prevent unauthorized logins.

It said it was also working with credit card companies to continuously monitor transactions and prevent fraudulent use.

RELATED Equifax data breach: Consumers unlikely to benefit financially from final settlement