US fashion retailer SHEIN has admitted suffering a major breach affecting the personal information of over six million customers.

The women’s clothing company revealed at the end of last week that its network had been targeted by a “concerted criminal cyber-attack” and that it had hired a forensic cybersecurity firm and a law firm to handle the investigation.

Details are scarce, but the firm said it had scanned for and removed backdoor malware found on its servers.

“While the full extent of the attack will continue to be investigated, it can now be confirmed that the personal information illegally acquired by the intruders included email addresses and encrypted password credentials of customers who visited the company website,” a statement noted.

“It is our understanding that the breach began in June 2018 and continued through early August 2018 and involves approximately 6.42 million customers. SHEIN may update this information at a later date based on any new findings.”

As no card details were taken, it does not appear as if the retailer was hit by the recent spate of Magecart attacks skimming financial details as customers enter them into e-commerce sites.

It’s unclear how strongly the passwords are encrypted so the hackers may look to brute force them. They would then have a handy email/password combination which could be used to unlock other accounts around the web via credential stuffing, if users have been careless in sharing their credentials across multiple sites.

There’s also a risk that these could be used to access corporate accounts if SHEIN customers used their work email addresses to register with the site.

That’s not uncommon: in January researchers uncovered over one million email addresses belonging to staff at the UK’s 500 top law firms up for sale on the dark web, 80% of which had an associated password. It’s believed the credentials were lifted from breaches at third-party sites.