Victoria’s Secret Security Incident: Is Your Personal Data at Risk?

Victoria’s Secret confirmed late Wednesday that it voluntarily took its U.S. website and mobile app offline after “identifying and taking steps to address a security incident” that disrupted online orders and some in-store services, including digital gift-card redemptions and email receipts. According to a statement emailed to multiple media outlets, the lingerie retailer is working with external cybersecurity experts and law-enforcement partners to determine whether customer payment data or account credentials were accessed. The company has not yet disclosed the attack vector or confirmed if ransomware was involved, but it pledged to “notify any impacted individuals as required by law”. Shoppers first noticed problems early Wednesday morning when both the Victoria’s Secret and PINK homepages displayed maintenance messages instead of product listings. Social-media posts quickly speculated about a breach as checkout pages and order-tracking functions timed out nationwide. Physical stores remain open, though associates were instructed to process returns manually while certain point-of-sale integrations were disabled for precautionary review. The outage arrives at a critical moment: Victoria’s Secret is days away from its semi-annual sale, historically one of the brand’s largest digital traffic drivers. Market analysts noted that parent company VS&Co (NYSE: VSCO) shares fell more than 7 percent intraday on news of the incident, erasing roughly $180 million in market capitalization before partially recovering by the close. Cybersecurity researchers point out that fashion and beauty retailers have become lucrative targets for threat actors because loyalty accounts often store saved credit-card numbers and detailed personal profiles. In 2024 alone, at least five major apparel brands reported credential-stuffing events or payment-skimmer infections, according to RiskBased Security. What customers should do now • Monitor credit-card and bank statements for unfamiliar charges over the coming weeks. • Change your Victoria’s Secret account password and enable multifactor authentication once the site resumes service. • Be wary of phishing emails that reference order cancellations, coupons, or password resets; confirm legitimacy by visiting the official website directly, not by clicking embedded links. Victoria’s Secret says its digital platforms will return “as soon as it is safe to do so.” In the meantime, shoppers can still place telephone orders via customer-care lines or shop in person. The company promises a further update within 48 hours as forensic analysis continues.