Paris-headquartered luxury skincare maker Clarins has been named on a dark web leak page run by the Everest ransomware gang, which claims to have obtained records tied to more than 600,000 customers across the United States, France and Canada. The group posted screenshots it says are samples from Clarins’ user databases; independent researchers have examined the material but the company has not publicly confirmed the extent of any exposure.
Samples Show Core Customer Fields But No Supporting Documents Presented
Cybernews researchers who reviewed the Everest post found several screenshots presented as proof. The visible samples appear to be extracts from customer databases and include routine e-commerce fields commonly collected at checkout or account creation:
- Customer full names
- Dates of birth
- Postal addresses
- Phone numbers
- Email addresses
The attackers’ post also asserts possession of a “variety of personal documents and information,” but no such documents were provided in the publicly visible samples. Cybernews researchers note the exposed entries likely originate from Clarins’ regional online stores or CRM systems, based on the fields and formatting seen in the screenshots.
Additional Database Samples Include Purchase Histories
Beyond identity fields, Everest published samples from two additional datasets that, according to the researchers, show purchase histories and product-category records. Those tables list transactions and product types such as skincare and makeup. Cybernews analysts warned that purchase lines combined with contact details increase the value of the data to fraudsters and make targeted phishing more convincing.
Risks Identified by Researchers
Security teams reviewing the samples flagged the usual threats that follow large retail data exposures. With names, contact details and purchase context available, attackers can mount highly targeted attacks:
- Phishing calls or messages that impersonate brand support or delivery services
- Credential stuffing or account takeover attempts where email addresses and passwords are reused
- Fraudulent offers or invoices designed to prompt payments or malware downloads
- Potential identity fraud using combined personal identifiers
Because the published material appears limited to screenshots, researchers cannot confirm whether payment card numbers, full account credentials, or other sensitive documents were accessed. The presence of purchase history data, however, raises concerns about targeted scams and social-engineering campaigns.
Everest Gang Background and Recent Activity
Everest is a ransomware operation first observed in 2021 and is believed by some investigators to be linked to Eastern European threat actors. The gang gained attention after claiming access to AT&T’s corporate network in October 2022 and has since posted numerous victims on its leak site. Recent Everest targets reported in open-source monitoring include Allegis Group, Coca-Cola’s Middle East division and Crumbl. Cybernews’ Ransomlooker telemetry indicates Everest has advertised breaches of more than one hundred organizations in the prior 12 months, placing the group among the more active extortion operations.
Clarins Business Profile Mentioned in Leak Coverage
Clarins is a large global cosmetics and skincare firm headquartered in Paris. Public business profiles estimate annual revenue near €2 billion and a workforce of roughly 8,000 employees. The company operates retail and direct-to-consumer channels across Europe and North America, which would explain a multinational customer footprint if the leaked samples are authentic.
Clarins Contacted; No Public Confirmation at Time of Review
Clarins was contacted for comment about the dark web postings and the screenshots analyzed by researchers. At the time of this report, no public statement from the company confirming the breach specifics was available. The screenshots remain the primary evidence shown on the Everest leak page.
For enterprise security teams, this incident is a reminder that retail and direct-to-consumer systems remain attractive targets for extortion groups. The combination of identity fields and transaction data increases the downstream risk to customers and to partners that rely on retail customer information for service and marketing. Researchers emphasize that even database screenshots can be weaponized to craft convincing phishing or fraud campaigns.
