Cyber Incident Victim: Warby Parker

Between September 25 and late November 2018, Warby Parker experienced a credential stuffing attack targeting customer accounts of the eyewear retailer. Unknown threat actors systematically attempted to access user accounts by exploiting login credentials previously stolen from unrelated third-party companies. This method relied on customers reusing identical usernames and passwords across multiple online services, allowing attackers to test compromised credentials against Warby Parker’s systems. The company detected the unauthorized access attempts by late November, concluding the activity spanned approximately two months. Approximately 198,000 customer accounts were identified as potentially compromised due to credential reuse. Attackers gained theoretical access to profile information, including stored eyeglass prescriptions, though Warby Parker confirmed no evidence suggested actual viewing or exfiltration of this data.

The attackers could have placed fraudulent orders if payment card details were stored in affected accounts, but the company found no proof of payment card theft or misuse. Warby Parker responded by resetting passwords for all potentially impacted accounts and directly notifying those customers to mandate credential changes. Co-founder and co-CEO Dave Gilboa publicly emphasized customer security as a priority, apologized for the inconvenience, and acknowledged customer patience during remediation. The company reported the incident to law enforcement agencies and cooperated with their investigation. No technical details regarding detection methods or specific system vulnerabilities were disclosed. The breach highlighted risks associated with credential reuse without indicating compromise of Warby Parker’s internal systems or databases.