An unsecured database belonging to cosmetic giant Estee Lauder has exposed hundreds of millions of customer records and internal logs.
Security researcher Jeremiah Fowler, discovered the non-password protected database on January 30.
The database consisted of 440,336,852 records, which contained plaintext email addresses, including internal email addresses from the @estee.com domain. In addition, the database exposed production, audit, error, content management systems and middleware logs.
“I can only speculate or assume that the email addresses were from digital commerce or online sales,” wrote Fowler.
Middleware is software that provides common services and capabilities to applications and handles data management, application services, messaging, authentication and API management.
“Middleware can create a secondary path for malware, through which applications and data can be compromised. In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network,” explained Fowler.
Upon discovering the database, Fowler immediately sent a responsible disclosure notice to Estee Lauder alerting them of the exposure. After making numerous phone calls and sending several emails – the security team at Estee Lauder received Fowler’s message and the database was closed the same day.
It is unclear as to how long the database was exposed for and who may have accessed the records during the exposure.
“This an example of how a simple error such as setting permissions on a shared drive or a database can have significant consequences,” said Erich Kron, security awareness advocate at KnowBe4 told Threatpost.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/