Women’s fashion retailer SHEIN has been forced to admit that hackers may have accessed 6.4 million customer passwords following a malware attack.

The major security breach saw hackers place malware on SHEIN servers, which then enabled them to access personal data via a backdoor. Somewhat reassuringly, though, it seems only email addresses and “encrypted password credentials” were accessed, as the company said it doesn’t store payment data on its systems.

Specifics details about the hack have not been revealed, as SHEIN said it’s not company policy to divulge such information. However, it’s widely thought to be the work of Magecart, which generated headlines earlier this year with similar high-profile attacks, including one on Ticketmaster.

In a statement announcing it had been a victim of malware, SHEIN expressed “regret” for the breach and said it would offer identity threat monitoring services for free to “affected customers in certain markets”.

SHEIN said it would also email customers to inform them of the breach and outline how to change their passwords. However, cybercrime experts have warned users to be wary. Though they may be expecting an email from SHEIN, the fact that cybercriminals could now have their email addresses makes potential phishing scams significantly more likely.

Any enterprising hacker could quickly send out an email to addresses on the SHEIN list – made to look like it was from the company – with a spurious link claiming to be how users change their passwords. From here, a hacker could also ask for further information (such as banking details) or use the new password to gain access to any other sites where the same credentials have been used.

As leading cybersecurity journalist Graham Cluley noted: “Every time you use the same password on different websites, you are increasing the chances that a hacker will be able to successfully exploit credentials stolen during an attack on one site to break into other accounts you may own online.”