ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Hack Report: Sally Beauty Supply Stores

Updated on February 6, 2020

Sally Beauty Supply Stores

Hacked Twice!

Dates of Breaches: February 2014, March 2014

Number of People Affected: Approximately 25,000 Patrons of over 2,600 stores

Date of Report: March 17, 2014


Sally Beauty Supply Company, a supplier of beauty and cosmetics, was hacked twice: once in February 2014 and again around March 2, 2014.

Hackers broke into their network and stole credit and debit card data - the part that is embedded in the magnetic strip. Brian Krebs, blogger owner at KrebsOnSecurity, to which I subscribe, reported on this breach nearly two weeks before the cosmetic supply company confirmed it.

The results of some detective work by Brian Krebs pointed to the thief as Rescator, a repeat offender who runs a member-only black market website reselling credit and debt card data.

This is the same hacker who infiltrated Target stores netting data from over 40 million credit and debit cards in December 2013 and P F Chang China Bistro, a class action lawsuit mentions upwards of 7 million credit and debit cards involved in their breach.

On March 5, 2014, a fresh batch of 282,000 cards under the batch name "Desert Strike" was put up for sale on Rescator. While Sally Beauty claimed to have only 25,000 in breach, the remainder in this batch came from another breach which the Secret Service have yet to determine. Either a company didn't report their breach, or they haven't detected it yet.

Although they are saying only 25,000 cards were affected, there is more to this story than meets the eye and I'm sure we will hear about this in coming weeks.

This was the official report - No customer cards were stolen

Club Card



The timing of Rescator's sale advertisement was suspect. The “validity rate” advertised acts as a big tip-off to show how "new" the cards were.

  • Showing rates like 97% to 100% means very new data - probably within the previous 24 to 48 hours.

The "validity rate" also tells their buyers that because the cards are so new, they will have little or no worries about being able to use them since they haven't been reported as stolen cards yet.

  • As more of that batch shows up as declined or canceled by the card's bank, the validity rate goes down, ultimately rendering the cards useless.

Rescator won't be able to sell them as easily OR for a great deal of money once they are reported or flagged at points of service.

  • He will need to unload them at bargain basement prices since most cards will no longer be usable.
  • His validity rate will drop and some buyers will buy a batch hoping to get at a handful of good cards and knowing most will be bad cards.

Once a batch of cards (or any part of the batch) is linked to a particular merchant as stolen, the US Secret Service contacts the banks of the credit and debit cards used at that merchant to cancel all of them, rendering the cards AND Rescator advertisements of no value.

Question about credibility

After reading that Sally Supply Stores customer card data showed up on Rescator's website, do you believe the company when they say no customer data had been stolen?

See results

Brian Krebs' Investigation

Brian Krebs is a former reporter for The Washington Post newspaper. When his entire home network was overrun by a Chinese hacking group in 2001, he became obsessed in learning all there was to learn about the underbelly of the hacking world. He is well respected for his knowledge, his results and blogging about his findings.

Brian Krebs notified three banks, who, on his information, purchased a total of 15 cards from the "Desert Strike" batch. They checked their validity with test purchases, then compared the cards to find a common point where they had been used - a merchant where all 15 cards were charged.

That turned out to be Sally Beauty Supply, confirming that the Desert Strike batch held part or all of their stolen data.

Cards (and card data) were advertised at about $18 for a pre-paid Visa to as much as $150 for American Express card, Platinum, and frequent flyer mile type cards.

Sally Beauty hired Tripwire and Verizon Enterprise Solutions to detect their intrusion which was narrowed down to the last week of February and part of March 2014.

The timing of Rescator's quickly advertised sale corresponds with dates of Sally Beauty's intrusion. All three banks which Brian Krebs contacted began to report fraudulent activity on many cards that were used at Sally Beauty during those dates.

Sally Beauty Supply Company made three separate statements on their website ( which also carries some Q & A to notify their customers. No letters were sent, so if one was not a frequent website user, they would never have seen these three statements.

Shopper Question

Have you or a member of your family shopped at Sally Beauty Supply Stores during February or March 2014?

See results

Sally Beauty Supply Company's Solution

Per their website: they are "offering one free year of credit monitoring and identity-theft protection services for those customers who may have been affected. They did not name the monitoring company.

If you are interested in this service, please contact the customer service line at 1-866-234-9442 or for assistance with enrollment, Monday through Friday, 9:00 a.m. to 7:00 p.m. and Saturday, 10:00 a.m. to 5 p.m. (Eastern Standard Time)."

© 2014 Rachael O'Halloran


This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

Show Details
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)