When hackers breached SHEIN, a U.S. based online fashion retailer, they were able to access the emails and encrypted passwords of 6.42 million customers, the company said.

“On August 22, SHEIN became aware that personally identifiable information of its customers was stolen during a sophisticated criminal cyberattack on its computer network,” the retailer said in a statement on its U.K. website, prompting it to hire both an international forensic cybersecurity firm and an international law firm to investigate the incident.

“Our investigation has confirmed that the perpetrators gained access to email addresses and encrypted password credentials of customers who registered on the company website,” SHEIN said, stressing that there is no evidence that credit card information was stolen. “SHEIN typically does not store credit card information on its systems.”

Citing internal policy, the company declined to discuss the specifics of the breach, but said its online store is safe to visit and use, and it encouraged customers to click a link their email notifications to reset their passwords.

SHEIN will “continue to closely monitor the network and servers so future breaches can be prevented” and is “evaluating/implementing additional security measures” recommended by investigators, the statement said. “We continuously try to improve those safeguards in response to evolving technology and threats.”

With the holiday shopping season “just around the corner,” Zohar Alon, co-founder and CEO of Dome9, warned that “breaches like this often result in low customer trust and reduced sales. The timing of this incident and how long it went unnoticed can have serious business implications for SHEIN.”

He stressed that organizations should safeguard valuable personally identifiable information (PII). “Every business is a target for hackers, and companies like SHEIN that own incredibly large customer databases must have continuous visibility into all of their assets, so they can quickly remediate potential threats and better protect consumer data,” he said.

Noting that the breach occurred in June, but was discovered in late August, Ruchika Mishra, director of products and solutions at Balbix, said, “It’s clear that organizations like SHEIN rely heavily on reactive cybersecurity strategies that detect and control breaches in progress or after the fact — and often not fast enough.”