Rituals Data Breach Exposes Millions of Loyalty Members

Dutch cosmetics brand Rituals has confirmed a data breach affecting customers enrolled in its My Rituals membership programme. The Rituals data breach, discovered in April 2026, involved the unauthorised download of personal records from the company's loyalty database. It's a database that holds information on more than 41 million members worldwide. No passwords or payment details were accessed, but the scope of exposed personal information is significant.

What Was Taken

Attackers gained access to a range of customer profile data. The compromised records include full names, email addresses, phone numbers, dates of birth, home addresses, gender, preferred store location, and account type.

This is not financial data. But it is precisely the kind of information that makes phishing and social engineering attacks effective. With a full name, date of birth, home address, and email in hand, criminals can craft messages that look and feel credible to the person receiving them.

Rituals confirmed that no passwords or payment information were accessed during the intrusion. That distinction matters, but it does not reduce the phishing risk that follows from the data that was taken.

How Rituals Responded

The company says it detected the breach after being alerted to the unauthorised activity, at which point it moved to stop the download and block the attacker's access. Rituals describes the situation as contained.

A forensic investigation is underway to determine how the intrusion occurred and what further steps are needed to prevent a repeat. Relevant authorities have been notified, including in the United States, where some affected members are based.

Rituals is contacting affected customers directly by email and has engaged external cybersecurity specialists to monitor the dark web for any appearance of the stolen data. At the time of disclosure, the company said it had found no evidence the data had been published or sold online.

Who Is Affected

The breach affects My Rituals members across Europe, the United Kingdom, and the United States. Customers in multiple European countries have received notification emails, confirming the breach extends well beyond the Netherlands.

Rituals has not disclosed how many individuals are affected. The company said it could not provide that figure for security reasons. With over 41 million people in the membership database, the potential exposure is large, even if the download captured only a portion of records.

No cybercrime group has claimed responsibility, and the attack method has not been made public.

The Risk That Follows a Breach Like This

A breach involving names, birth dates, addresses, and email accounts does not trigger an immediate financial loss for most customers. The threat plays out differently.

Criminals who acquire this kind of profile data use it to personalise fraudulent communications. A message that references your full name, mentions your date of birth, or appears to come from a brand you regularly shop with carries far more credibility than a generic scam. That is the environment affected Rituals customers now face.

Rituals has advised members to stay alert for suspicious emails, text messages, and phone calls. The company specifically warns against responding to any message that asks for sensitive information such as passwords, and customers should be sceptical of anything that creates urgency around an account, delivery, or reward.

A Pattern Across Retail

The Rituals data breach sits within a wider trend of loyalty programme databases being targeted across the retail sector. Membership programmes are attractive targets because they consolidate rich personal data in one place. When a retailer signs up millions of customers and asks for names, birthdates, contact details, and location preferences, that database becomes a valuable asset. It also becomes a liability.

Retailers with global reach and large consumer databases are facing sustained pressure from criminal actors who recognise the extortion and fraud value of that data. The Rituals incident is a clear example of why access controls and monitoring around these systems matter as much as the safeguards applied to payment infrastructure.

What Affected Customers Should Do Now

Customers who have received a notification from Rituals, or who are enrolled in the My Rituals programme and have not yet heard, should take a few practical steps.

Be sceptical of any email that references your Rituals account, loyalty points, birthday offers, or personal details. Rituals itself has flagged that it has dealt with brand impersonation scams in the past, and criminals are likely to exploit this breach in similar ways.

If you use the same email address and password combination across multiple accounts, change those passwords now, starting with financial and email accounts. Enable two-factor authentication wherever it is available.

The investigation is ongoing. Further details about the attack vector and the full number of affected members may emerge as the forensic review progresses.