Cosmetics Giant Estèe Lauder Leaks Data on Almost Half a Billion Customer Records
Security researchers have discovered a freely-accessible database of Cosmetics giant Estèe Lauder with 440 million records found in plain text online. Estèe Lauder is the parent company of a number of cosmetics brands, including Bobbi Brown, Clinique, M.A.C., Smashbox, Tom Ford, Tory Burch and Aerin Beauty.
Jeremiah Fowler, a security analyst with Security Discovery found the database of 440,336,852 records without any password protections, making it both extremely easy to access and lucrative for a potential cybercriminal to use the details listed for targetted phishing attempts via email.
In a post online, Fowler explained that “there were millions of records pertaining to middleware that is used by the Estèe Lauder company.”
“Middleware is software that provides common services and capabilities to applications outside of what’s offered by the operating system. Data management, application services, messaging, authentication, and API management are all commonly handled by middleware,” he said.
Reports state that “it’s unclear how many user emails were exposed, but the cosmetics giant claimed in an emailed statement that they were ‘nonconsumer’ and instead came from an internal ‘education platform.’”
“To the best of my knowledge,” Fowler continued to explain, “the database did not contain payment data or sensitive employee information based on what I personally saw. I reported my findings as soon as I made an assumption of who owned the data and did not have the time to validate 440 million records before public access was closed. With the understanding that every second counts when it comes to the risks of a data exposure, our top priority was alerting Estèe Lauder.”
“Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised,” Fowler added. “In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and the other information that could serve as a backdoor into the network.”
It took Fowler several attempts at contacting Estèe Lauder before he was able to get the company to respond. Now, however, the company says it is acting “fast and professionally” to block access to the database and clean up in the aftermath.
There is no indication that payment details or sensitive employee or customer information was listed in the database, however, Fowler has warned that whatever information was indeed listed on the database could be a top prize for potential scammers and cybercriminals.