The breach also affected users in Singapore, Malaysia, Indonesia, Thailand, Philippines and Hong Kong.
"Please be reassured that no credit card information was accessed, and we have no reason to believe that any personal data has been misused," the retailer said in the email sent to staff.
"We are sorry for any concern or inconvenience this may cause you. As a precaution, we have cancelled all existing passwords for customer accounts and have thoroughly reviewed our security systems."
Sephora said it would offer a personal data monitoring service through a third-party provider to its customers affected by the data breach at no cost.
Beth Glancey, Sephora Australia and New Zealand country manager, said the retailer had indentified the security incident over the last two weeks, and had no evidence of its customers' personal information being misued.
"We have reached out to our affected customers to explain what happened, and what steps they should take. We are also offering personal data monitoring services to all customers, where available and at no cost to them, through local third-party providers," Glancey said in a statement.
"Being transparent and protecting the safety of our customers' information is our utmost priority."
The Herald has contacted Sephora for further comment.
Sephora has been operating an online store in New Zealand for three years.
A spokesman for Privacy Commissioner John Edwards said Sephora had informed his office about the breach.
A revamp of the Privacy Act, currently working its way through Parliament, will make data breach disclosure mandatory.
