Victoria’s Secret takes down website after security incident

Fashion giant Victoria's Secret has taken down its website and some store services because of an ongoing security incident.

Victoria's Secret manages approximately 1,380 retail stores in nearly 70 countries and reported an annual revenue of $6.23 billion for the fiscal year ending February 1, 2025.

The company says in a message replacing the website that its Victoria's Secret and PINK stores remain open while operations are being restored.

"Valued customer, we identified and are taking steps to address a security incident. We have taken down our website and some in store services as a precaution," it says. "Our team is working around the clock to fully restore operations. We appreciate your patience during this process."

When asked for more details, a company spokesperson has also told BleepingComputer that Victoria's Secret has hired external experts to investigate the incident's impact. Victoria's Secret has yet to reveal the nature of the incident.

"We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in store services as a precaution. We are working to quickly and securely restore operations. We continue to serve customers in our Victoria’s Secret and PINK stores," BleepingComputer was told.

Hillary Super, the retailer's chief executive officer, also told employees that "Recovery is going to take awhile," in a note sent to employees and seen by Bloomberg News.

​Two weeks ago, French luxury fashion brand Dior disclosed another cybersecurity incident after unknown attackers accessed data on some Dior Fashion and Accessories customers.

German sportswear giant Adidas also revealed a data breach last week after threat actors who hacked a customer service provider stole some of its customers' data.

These incidents follow a series of other attacks targeting retailers across the United Kingdom over the last several months, including Harrods, Co-op, and Marks & Spencer.

Marks & Spencer is now bracing for a potential profit hit of up to £300 million (approximately $402 million) after the breach led to widespread sales and operational disruptions.

Although it's unclear whether these attacks are connected, the DragonForce ransomware operation has claimed responsibility for all three incidents. BleepingComputer also discovered that the attackers had employed social engineering tactics associated with the Scattered Spider threat actors.

Last week, Google warned that Scattered Spider is now also targeting retailers in the United States in ransomware and extortion operations.

Update May 29, 09:07 EDT: Added Victoria's Secret statement.

Attackers are mapping your attack surface—are you?

New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers

Free online web security scanner