Mosaic VPN LogoMosaic VPN
DashboardGet Started
Back to blog
securityprivacydata breachphishingloyalty

"Rituals' 41M Member Breach: When a Loyalty Program Becomes a Phishing List"

Mosaic TeamPublished: April 29, 2026
A cosmetics retail counter with shopping bags, illustrating the loyalty data exposed in the Rituals breach

Available languages

ENZHRUESARID

On April 22, 2026, Netherlands-based luxury cosmetics retailer Rituals confirmed in customer notifications that attackers had performed an "unauthorized download" of records from its membership database earlier that month. Rituals operates more than a thousand stores across Europe and the United Kingdom, and the company's loyalty program counts roughly 41 million members in total — though it has declined to specify how many of those records were in the leaked subset.

The breach didn't include payment data. It didn't include passwords. What it did include is, in some ways, more valuable to a competent scammer: the personal context that makes a phishing email look like a perfectly ordinary message from your favourite skincare brand.

If you've ever bought a product at a Rituals store, signed up for the loyalty card at the till, or registered online to track an order, this post explains exactly what's likely in the leaked dataset, what the post-breach scam wave is going to look like over the coming months, and the small set of habits that move you out of the easy-target bucket.

What Was Exposed (and What Wasn't)

Per Rituals' own customer notification and reporting from TechCrunch, BleepingComputer, SecurityWeek, and Bitdefender, the leaked records contained:

CategoryExposed?
Full nameYes
Date of birthYes
GenderYes
Postal addressYes
Email addressYes
Phone numberYes
Preferred Rituals storeYes
Account / membership typeYes
Payment card dataNo — not stored in the loyalty database
Account passwordsNo — not in scope

Cards and credentials staying out of the leak is genuinely good news. A breach that included card data would be a far bigger emergency. But the records that did leak are the textbook profile of a marketing CRM: enough about who you are, where you live, when you were born, how to reach you, and which store you visit to enable highly tailored impersonation.

"We don't have your card. We have everything we'd need to convince you we're the brand you trust."

That's the distinction that makes loyalty-program leaks particularly nasty.

Why Loyalty Databases Are an Especially Toxic Leak

Most data-breach roundups treat all stolen personal data as roughly equivalent — names, emails, phone numbers, the usual. Loyalty records are different in three ways that matter for the scams that follow.

1. They prove a customer relationship exists

A cold phishing email saying "Your loyalty points are about to expire" is a numbers game. An email that addresses you by your real name, references the exact store you usually visit, and arrives on or near your birthday is not a numbers game — it's targeted, and it converts at far higher rates than generic spam.

2. They contain the data marketing departments use to manufacture urgency

Date of birth, preferred store, account tier, sign-up date — these are precisely the fields a real marketing system would use to send you a "VIP birthday gift," a "your-store-only flash sale," or a "members-only early access" message. When attackers have the same fields, every legitimate marketing pattern becomes a phishing template they can mirror beat for beat.

3. They're paired with a postal address

Most breaches give attackers your inbox. Loyalty breaches give them your doormat too. That opens up a category of scam most consumers rarely think about: physical mail that references real account details, fake "loyalty card replacement" letters, and even targeted package-delivery fraud aimed at intercepting orders.

The Scam Playbook to Expect Over the Next Several Months

Independent of how Rituals' own response unfolds, history with comparable retail loyalty leaks (Marriott, Dunkin', Tim Hortons) suggests the follow-on scams will roll out in this rough sequence.

1. "Your Points Are About to Expire" Emails

A reply-style message that addresses you by name, cites your member tier, and warns that points or rewards will be lost if you don't "verify your account" via a link. Lookalike domains such as rituals-rewards.com or members-rituals.net will host the phishing page, which will ask for password, card details, or both.

2. Birthday-Gift Pretexts

Because your date of birth is in the leak, expect a wave of "Happy Birthday from Rituals — claim your free gift" emails timed precisely to your real birthday. The link won't go to Rituals; it'll go to a credential or card-harvesting page designed to look identical to a Rituals microsite.

3. Store-Specific Lookalikes

Knowing your preferred store lets attackers localise the pitch. "Your local Rituals at <your actual mall> is hosting a private members evening — RSVP here." For someone who genuinely shops at that store, the framing slips past the usual "this seems off" filter.

4. SMS and WhatsApp Variants

Phone numbers in the leak make smishing the natural next step. Short messages — "Your Rituals delivery is delayed, click to reschedule" or "Confirm your address to release your gift" — exploit the fact that people read SMS faster and more trustingly than email.

5. Postal Mail Scams

This is the under-discussed one. With name and street address in hand, attackers can send physical mail referencing your account: "Your loyalty card has been replaced for security reasons; please call this number to activate." The phone number routes to a scam call centre that asks for "verification details" — the same phishing flow, with a postage stamp on the front.

6. Long-Tail Credential Stuffing

Even though passwords weren't in this leak, the email-plus-name dataset is gold for credential-stuffing attempts on Rituals and adjacent retail accounts. Old reused passwords from past breaches will be tested against these accounts on the assumption that customers reuse passwords across loyalty programs.

What to Do If You're a Rituals Member

Six concrete actions, in order of priority:

  1. Treat any unsolicited email, text, or letter referencing your Rituals account as hostile until proven otherwise. Open Rituals.com directly in your browser to check anything time-sensitive. Never click links in unexpected loyalty messages.
  2. Rotate your Rituals password and enable two-factor authentication if it's offered. Even though the breach didn't expose passwords, rotating costs nothing — and if you reused that password anywhere else, that's the credential-stuffing vector you actually need to close.
  3. Be sceptical of "birthday gift" and "expiring points" messages, especially the ones that arrive with eerie timing relative to your real birthday or recent purchases.
  4. Don't act on physical mail asking you to call a number. If the letter looks legitimate, look up the brand's customer service number from their official website and call that instead.
  5. Watch your inbox for new sign-ups and password-reset emails you didn't initiate. Those are the early warning signs of someone trying to take over adjacent accounts using your now-confirmed email.
  6. Consider an aliased or disposable email address for future loyalty sign-ups. If a future leak hits the alias, you rotate the alias — your primary inbox stays clean.

Why "Just" Loyalty Data Is Worse Than People Realise

The reflex when reading "no payment data was exposed" is to relax. That reflex is wrong, and it's worth naming why.

A credit card number is a revocable identifier. If it leaks, you call the issuer, they cancel the card, send a new one, and the leak's value to attackers expires within days. The financial loss is bounded, often reimbursed, and the timeline is short.

Your name, date of birth, and home address are not revocable. You can't ask a bank to cancel your birthday. Once that profile is in a criminal dataset, it stays there forever — combined with the next leak, and the one after, and the one after that, into an increasingly rich identity-theft kit. The financial loss isn't bounded; it compounds over years.

This is the structural problem with retail loyalty programs as they currently exist: they accumulate fields that customers can never rotate, in service of marketing that doesn't strictly need most of them. The Rituals leak isn't a freak event — it's what happens when normal marketing infrastructure gets touched by attackers who weren't supposed to have access. The same pattern hit Boots, Dunkin', and Tim Hortons in earlier years. It will hit other brands again.

You can't unwind the leak. You can make sure that the next loyalty sign-up gives a brand the bare minimum it needs to actually serve you — and not an extra decade's worth of fields it'll be quietly storing in a database you can't audit.

A Practical Privacy Hardening Checklist

Use this as a once-a-quarter habit. Most of it takes a single afternoon.

Account hygiene

  • Inventory the loyalty programs you've signed up for. Most people have dozens — close the ones you no longer use. Each closed account is one less future leak you'll be in.
  • Run every account through a password manager with unique, generated passwords. Reuse is the single biggest amplifier of any breach.
  • Enable two-factor authentication everywhere it's offered, with an authenticator app rather than SMS where possible.
  • Set up haveibeenpwned.com email alerts so you find out about future leaks the day they're known, not the day a scam lands.

Inbox and SMS hygiene

  • Treat all unsolicited "loyalty" messages as hostile by default. Verify by signing in to the platform directly.
  • Hover over links before clicking — lookalike domains rarely survive a careful read.
  • Report and delete, don't engage. Replying to phishing or smishing confirms a live address or number.
  • For high-volume retail sign-ups, use an aliased email (Apple's "Hide My Email," Fastmail aliases, SimpleLogin). When the alias inevitably ends up in a breach, you rotate it.

Physical-mail hygiene

  • Treat unexpected branded mail with the same scepticism you give email. A letter on nice paper isn't more trustworthy than an email with a logo.
  • Look up phone numbers independently. Never call a number printed on a "loyalty card replacement" letter — go to the brand's website and find the customer-service line there.
  • Shred mail containing your full address before discarding it. Yes, even loyalty offers — they're identity-theft kindling.

Network hygiene

  • Encrypt your traffic on networks you don't fully trust — public Wi-Fi, hotel networks, cafes, conference centres, co-working spaces.
  • Keep DNS lookups inside the encrypted tunnel so a compromised router can't redirect you to a lookalike retailer page.
  • Turn off Wi-Fi auto-join for unknown networks. Lookalike SSIDs (Mall_Free_WiFi, Store_Guest) are a cheap and reliable phishing channel.

Damage control

  • If you suspect compromise, change passwords first, then 2FA recovery codes, then notification email. That order matters — fixing the password without fixing the recovery email leaves the back door open.
  • Watch your statements for small "test" charges in the days after a known breach. Attackers validate cards with $1 charges before running larger fraud.
  • Don't delete the phishing emails or texts. Keep them in a folder until you're sure no follow-on activity is happening — they're evidence if you need to dispute a charge.

How Mosaic VPN Fits In

A VPN doesn't stop a retailer like Rituals from getting breached. What it does do is shrink the surface area on every other side of your digital life — especially when the post-breach phishing wave starts rolling in.

  • AES-256 encryption — Your traffic on home, hotel, airport, and cafe Wi-Fi is encrypted end to end, so anyone else on the same network can't read or hijack it.
  • Low-overhead encrypted tunnel — Minimal performance impact on your connection, so video calls, large downloads, and 4K streaming stay smooth.
  • Kill Switch — If the tunnel drops, all traffic is blocked until it reconnects, so nothing leaks onto whatever network you happen to be on.
  • DNS leak protection — Your lookups stay inside the tunnel, so a misconfigured router or hostile captive portal can't redirect you to a lookalike Rituals sign-in page.
  • Global server network — Exit servers in dozens of countries let you reach the services you actually use, even when a destination network is filtered, slow, or untrusted.

Think of it as the layer that stays consistent regardless of which retailer you happen to be trusting that week. You can't audit Rituals' membership database. You can control whether the network between you and the rest of the internet is yours.

The Bottom Line

The Rituals breach is a clean case study in a quietly important shift in how consumer data leaks work in 2026. The attacker didn't steal card numbers or passwords. They walked away with identity context — names, dates of birth, addresses, phone numbers, and the small details that make a phishing message feel like a real one from a brand you actually use.

You can't undo the leak. You can make sure that when an unusually well-informed "loyalty offer" lands in your inbox, mailbox, or texts over the next year, you treat it like the hostile pitch it is — verify in the official app, never trust the link or phone number it provides, and assume the loyalty card you signed up for last year is now part of your threat model.

Tagged in

securityprivacydata breachphishingloyalty