Cyber Incident Victim: Scentbird

In July 2020, threat actor ShinyHunters leaked databases containing stolen records from eighteen companies on a hacker forum, with startups appearing to be the primary targets. Security outlet BleepingComputer first reported the leak after identifying the publicly released data troves, which collectively exposed approximately 386 million records. Among the affected organizations was subscription fragrance service Scentbird, which had not previously disclosed a breach prior to this incident. Following BleepingComputer’s outreach to the impacted companies, Scentbird issued a breach notification to its users confirming unauthorized access to customer data. The compromised information included email addresses, hashed passwords, and unspecified personal details. Scentbird did not disclose the number of affected accounts or the exact timeframe of the breach in the available reporting, though the leak’s public emergence occurred around mid-July 2020.

The company advised users to reset their passwords as a precautionary measure, indicating that password hashes were among the exposed data elements. No further technical specifics regarding the breach methodology, intrusion timeline, or internal forensic findings were disclosed in the source material. The incident formed part of a broader pattern of attacks targeting startups, with at least one other affected firm, Drizly, confirming a breach impacting 2.5 million accounts around the same period. Scentbird’s public response focused on notifying customers and recommending credential changes without elaborating on additional remediation steps or system modifications. The disclosure occurred within days of external verification of the leaked data’s authenticity, though the exact duration between the initial compromise and public acknowledgment remained unspecified in available reports.