Skip to content

Indian shopping site LBB leaks 3 million customer records

  • by
  • 2 min read

Nearly three million records with over 39,000 unique email addresses from the Nykaa-owned Indian shopping site were posted to a hacking forum in August 2022. Other leaked information included IP and physical addresses, names and device information going back to 2019.

According to Have I Been Pwned, a popular, free leak-checking service, 97% of the leaked records were already in the database. The file available for download is a 264.3MB 7z archive which totals 3.15GB when extracted containing 3,122,262 lines with 39,263 unique email addresses. 

While LBB attributed the breach to a third-party service, the leak includes information they retain on their customers, besides additional data attributes. LBB was acquired by Nykaa in September 2022, only one month after the alleged leak. 

The leaked information is available on a popular hacking forum to download for free and includes the following details:

  • Browser user agent details
  • Email addresses
  • IP addresses
  • Real names
  • Physical addresses
  • Facebook IDs

At the moment there’s no information on who might have breached LBB or even an official statement from the company itself. We’ve reached out to LBB for a comment but are yet to receive a response at the time of writing. 

LBB started off as a simple Facebook page but has since grown into a website with over 20 million users browsing its curations and recommendations. The site also provides expert recommendations and reviews as well as city guides for major Indian cities like New Delhi, Mumbai, Bangalore and Goa. The company has raised over $7 million from Indian investors so far and despite its acquisition by Nykaa, continues to operate and grow independently. 

In the News: BetterHelp to stop sharing mental health data with advertisers: FTC

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: