Victoria’s Secret has taken its U.S. website offline and is experiencing disruptions to some in-store services following a security incident. Customers visiting the site are met with a message explaining that operations have been paused “as a precaution” while the company works to resolve the issue.
The Ohio-based retailer hasn’t provided many specifics about the nature of the incident—such as whether it’s a cyberattack or ransomware event—but a company spokesperson confirmed that response protocols were quickly initiated and third-party cybersecurity experts were brought in to assist.
It’s unclear exactly when the problem was first detected. While the website went offline on Wednesday, some customers reported issues as early as Monday. The company’s FAQ page says there’s currently no timeline for when the website will be restored. Orders placed before Monday are still being processed, and return windows along with some promotional offers will be extended for affected U.S. customers.
Stores across the U.S., including Victoria’s Secret and its PINK locations, remain open. However, certain services—like returning online purchases in person—have been temporarily suspended. Online customer support is also unavailable for now.
There’s no confirmation on whether stores outside the U.S. are affected, but the company’s U.K. site was still operational as of Thursday.
According to a report from Bloomberg News, internal operations may also be impacted. Some employees reportedly lost access to their company email accounts, and parts of office functions were paused.
Shares of Victoria’s Secret dropped around 4% midday Thursday in response to the news.
While the company hasn’t confirmed a cyberattack, the signs—such as widespread digital and operational disruption—suggest that this could be the case. Cyber incidents are becoming increasingly common, particularly among retailers. Just last week, Adidas disclosed that a third-party provider suffered a breach, compromising some customer contact information.
Several U.K. retailers, including Marks & Spencer, Harrods, and Co-op, have also recently fallen victim to cyberattacks. The incident at M&S was especially severe, halting online orders and leaving store shelves bare. The company anticipates a financial loss of around £300 million ($400 million USD) due to the breach.
Security experts caution consumers to stay vigilant in the aftermath of such incidents. Cybercriminals may try to exploit the situation with phishing scams or misuse compromised personal data.
Tim Rawlins, a senior adviser with cybersecurity firm NCC Group, emphasized that pausing operations rather than rushing to restore them is key to long-term recovery. Proper patching, rebuilding, and improved security must be carefully executed to avoid further damage.
