Rituals Discloses Data Breach Affecting My Rituals Customers

Rituals has confirmed a data breach involving its My Rituals membership database after an unauthorized party downloaded part of its members’ data in April 2026. The company says the incident has been contained, affected members have been notified, and no passwords or payment information were accessed.

The exposed data may include full names, email addresses, phone numbers, dates of birth, gender, and home addresses, depending on what each customer shared with Rituals. TechCrunch also reported that some notification emails mentioned preferred store details and account type as part of the affected membership data.

Rituals has not disclosed how many customers were affected. However, the company’s My Rituals loyalty program has more than 41 million members, according to reports citing the brand’s membership figures.

What Rituals confirmed

Rituals said it discovered the breach after identifying an unauthorized download of member data. The company stopped the access, investigated what happened, and then informed affected members by email.

The company has reported the incident to relevant authorities and started an in-depth forensic investigation. Rituals says it wants to understand how the breach happened and what extra measures can prevent a similar incident.

At this stage, Rituals says it has not seen the extracted data become publicly available. The company also says customers do not need to take account-level action, but it advises them to stay alert for phishing messages.

At a glance

Item	Details
Company	Rituals
Program affected	My Rituals membership program
Incident type	Unauthorized download of customer data
Timing	April 2026
Data affected	Names, emails, phone numbers, dates of birth, gender, home addresses
Extra data reported	Preferred store and account type
Passwords affected	No
Payment data affected	No
Public leak found	No evidence so far
Customer action	Stay alert for phishing messages
Investigation status	Forensic investigation underway

Why the breach matters

The breach did not expose passwords or payment cards, which lowers the risk of direct account takeover or immediate financial theft. Still, the exposed details can help scammers create convincing messages that appear to come from Rituals.

A phishing email using a real name, birthday, address, or loyalty account context can feel more trustworthy than a generic scam. Attackers may use that information to promote fake discounts, fake birthday gifts, fake account checks, or fake delivery issues.

Rituals already warns customers that fake birthday gift messages can circulate and that the company will never ask customers to transfer money for a birthday gift. That guidance becomes more important when attackers may have membership-related personal details.

Who may be affected

The breach affects members of the My Rituals loyalty program. Rituals uses the program for benefits such as rewards, gifts with purchase, birthday gifts, and customer account features.

Rituals has not published a country-by-country number of affected customers. TechCrunch reported that the company confirmed affected members in Europe and the United Kingdom, and later confirmed that some U.S. customers were also affected.

The brand has a large international footprint. BleepingComputer reported that Rituals operates more than 1,400 retail boutiques and more than 4,800 luxury perfumeries and department store locations across 33 countries.

What customers should watch for

Customers should be cautious with unexpected messages that mention Rituals, My Rituals rewards, birthday gifts, delivery problems, account verification, or payment requests.

A real-looking message can still be fraudulent. Scammers often copy brand language, use familiar promotion themes, and add urgency to make people click before they think.

The safest approach is to avoid links in unexpected emails or SMS messages. Customers should open the Rituals website or app directly and check their account from there.

Possible scam signs

• A message asks you to pay to receive a Rituals birthday gift.
• An email asks you to verify your My Rituals account through a link.
• A text message claims your loyalty points will expire immediately.
• A message asks for card details to unlock a reward.
• A sender uses a lookalike Rituals domain.
• A message includes spelling errors, unusual pressure, or a strange payment page.
• A caller asks for account details, passwords, or payment information.

What Rituals customers can do now

• Be cautious with unexpected Rituals emails, SMS messages, or phone calls.
• Do not click links in messages about urgent rewards or account checks.
• Visit the official Rituals website or app manually.
• Never share passwords, card details, or verification codes through a message link.
• Watch for fake birthday gift messages asking for payment.
• Use a strong, unique password on your Rituals account, even though passwords were not exposed.
• Monitor email accounts for unusual login alerts or reset messages.
• Report suspicious messages to Rituals customer support.

Why loyalty data is valuable to attackers

Retail loyalty programs collect information that helps brands personalize offers. That same information can help criminals personalize scams.

Names, birthdays, addresses, phone numbers, store preferences, and account types can all make a message more believable. A fake promotion sent near a customer’s birthday can seem normal if the attacker knows the person uses My Rituals.

This is why customer data breaches remain risky even when payment details stay safe. The danger often moves from direct financial theft to targeted social engineering.

FAQ