Warby Parker Notifies Customers of Data Security Incident


NEW YORK—Warby Parker announced late last week that it has taken steps to notify customers and protect their accounts following a cybersecurity incident. According to the company’s announcement, unauthorized parties obtained usernames and passwords from unrelated breaches at other companies, then attempted to access a limited number of Warby Parker customer accounts with those username/password combinations. Warby Parker said it has notified its potentially affected customers and required them to reset their Warby Parker passwords. The company said it believes the incident may have affected up to approximately 198,000 customers.

In addition, Warby Parker said it has engaged third-party cybersecurity experts to assist in a thorough review of the case. The company said it believes the unauthorized access began Sept. 25, 2018, and ended shortly after Warby Parker discovered the problem in late November 2018.

“Customer privacy and security is a key priority for us,” Warby Parker co-founder and co-chief executive officer Dave Gilboa said in the announcement. “We have reset passwords for potentially affected customers, and we apologize for the inconvenience this may cause them. We want to thank our customers for their patience as we work to protect the security of their data. We have reported this matter to law enforcement and are actively cooperating with them.”

The company said its investigation “found no proof that the unauthorized users obtained the payment card information of these Warby Parker customers.”

Warby Parker said its investigation indicates that customers could only be affected if they used the same username and password for Warby Parker and for other internet sites. “It appears that unauthorized users obtained username and password combinations associated with those other sites, then began trying those combinations elsewhere, including at Warby Parker.

"The targeted, mandatory password reset recently required by Warby Parker is a security precaution that responds directly to the nature of this event,” the announcement noted.

The unauthorized users may have been able to view stored prescriptions and other customer profile data, though Warby Parker said it “has no proof that any account information was actually viewed.”

In addition, the unauthorized users may have been able to place orders for eyewear if customers had stored their payment card information. “There is no evidence that the unauthorized users could see Warby Parker customers’ complete payment card information or use the cards anywhere outside of Warby Parker’s website,” the announcement noted.

The company said that consumers with questions can direct them to privacyhelp@warbyparker.com.