4
credentials had been stolen in the breach. Instead, Zoetop identified a subset of the more than 39
million impacted accounts that had previously placed an order with SHEIN—6.42 million accounts
worldwide, including more than 375,000 New Yorkers—and, of this subset, contacted accounts in
the U.S., Canada, and Europe, recommending that these account holders themselves initiate a
password reset. Zoetop also offered the U.S. residents in this group identity theft protection at no
charge. The bulk of the SHEIN accounts impacted in the breach—more than 32.5 million accounts
worldwide, including 255,294 New York residents—were not contacted.
9. Around this time, Zoetop also publicly disclosed the breach, issuing a press release
and posting a “Frequently Asked Questions” (“FAQ”) page on its website concerning the breach.
Several of the statements the company made in these documents, however, were misleading.
10. In the press release and FAQ, Zoetop stated that approximately 6.42 million
customers had been impacted in the breach. The press release also stated that the company was in
the process of notifying “customers who may have been affected.”
11. However, as noted above, Zoetop had determined that credentials from more than
39 million accounts had been stolen in the attack. The figure in the press release and on the SHEIN
website—6.42 million—included only those accounts that had placed an order with SHEIN.
Moreover, contrary to Zoetop’s statement, most accounts affected by the attack were not directly
contacted by the company. As noted above, only accounts in the U.S., Canada, and Europe who
had placed an order with SHEIN were contacted.
12. Zoetop also made a misrepresentation in the FAQ page posted on the SHEIN
website. The FAQ contained the following statement:
Was my credit card information stolen?
We have seen no evidence that your credit card information was taken from