I tweeted about this breach disclosure earlier today after Zack Whittaker called everyone’s attention to it, and I am glad to see that Catalin has written the matter up:
In a data breach notification letter submitted to the Office of the Attorney General for the state of California, a makeup product vendor said it could not fully assess the impact of a recent card security breach due to a lack of backups.
[…]
Beautyblender started investigating the incident after two customers complained about fraudulent transactions on credit cards used on the site.
[…]
“Unfortunately, due to the lack of backups of the website that were available from the website hosting company, beautyblender has been unable to confirm the date that the malware was placed on the website.”
Their last backup was in April, 2015. Ugh.
Read more on BleepingComputer.