Aditya Birla Data Breach
Aditya Birla Fashion & Retail Breach (2021): 4.5 Million Indian Customer Records Including Income, Religion & Marital Status Exposed
Aditya Birla Fashion & Retail – major Indian apparel and lifestyle brand.
Risk Interpretation
Exposure enables phishing, delivery scams, order fraud, and profiling based on retail behavior. Large brand portfolios also broaden the downstream targeting surface.
Impact & Downstream Threats
ABFRL responded publicly to the 2021 breach, acknowledging the incident, resetting customer passwords, enabling OTP authentication, and engaging external forensic investigators. The company stated that there was no operational or business impact and denied that financially sensitive payment data had been compromised. Independent reporting and the threat actor itself contradicted parts of that account, with claims of credit-card and CVV data in the leaked dataset. There is no public record of for
- Credential stuffing against reused passwords across other platforms
- Financial fraud using exposed financial profile data
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
- Employment-based social engineering using job and employer data
Threat Vectors
Breach Intelligence
Executive Summary
Aditya Birla Fashion and Retail Ltd, the Indian fashion retailer that operates Pantaloons and a portfolio of premium apparel brands, was breached in December 2021 by the data-extortion group ShinyHunters. The attackers gained unauthorized access to the company's e-commerce database, exfiltrated roughly 700 GB of data, and demanded a ransom. ABFRL declined to pay, and the data was subsequently published on a hacking forum in January 2022.\n\nThe leaked corpus contained around 4.5 million customer records, with around 5.4 million unique email addresses across associated brand sites. Customer fields included names, salutations, phone numbers, physical addresses, gender, marital status, religion, income levels, job titles, purchase histories, and passwords stored as weak MD5 hashes. The dump also included employee records covering salary, marital status, and religion, alongside invoices, server logs, and portions of website source code. The threat actor claimed full payment-card data with CVV was also among the files, an assertion the company publicly disputed.\n\nFor affected customers, the practical risk extends beyond standard contact-fraud scenarios because of the unusual sensitivity of fields exposed. Religion and income data create profiling and discrimination risks specific to the Indian context. The MD5-hashed passwords are effectively crackable by modern standards, raising credential-stuffing risk wherever the same password was reused. Anyone who held a Pantaloons, Jaypore, or other ABFRL-brand account in 2021 should rotate passwords across services and treat unsolicited messages referencing past purchases or loyalty programs with caution.
About Aditya Birla
Aditya Birla Fashion and Retail Ltd, generally known by its abbreviation ABFRL, is one of India's largest fashion and lifestyle retailers and a subsidiary of the broader Aditya Birla Group. Headquartered in Mumbai, the company operates a portfolio of premium and mass-market apparel brands including Pantaloons, Louis Philippe, Van Heusen, Allen Solly, and Peter England, alongside the Jaypore.com online marketplace. As of late 2021, the company ran more than 3,200 company-owned stores and was present in roughly 26,000 multi-brand outlets across India. Its customer database spans both physical retail loyalty programs and direct e-commerce.
Why They Hold Your Data
Multi-brand fashion retailers collect customer identity, contact details, addresses, order history, payment-adjacent data, and loyalty or marketing-engagement records across retail operations.
Recent Developments
ABFRL has continued to operate and expand its retail and brand portfolio in the years since the 2021 breach. The company reset customer passwords and added one-time-passcode authentication after the incident. India's data-protection regime has matured significantly since 2021, with the Digital Personal Data Protection Act passed in 2023, which raises the regulatory expectations for any future incident at ABFRL or its peers. The company has not been publicly tied to a further large-scale breach disclosure since 2021. Public scrutiny of consumer-data practices in the Indian retail and e-commerce sector has increased steadily since the original incident.
Data Points Exposed
Exposure Categories
Canonical Fields
email_address, financial_profile:income, full_name, gender, job_information:job_title, password, phone_number, physical_address, relationship_status:marital, religion, salutation, transaction_history:purchase
Dark Web Verification
- Dataset containing ~4.5M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: abfrl.com-2021;Aditya Birla Fashion and Retail Data Breach
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Aditya Birla
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam