A non-password protected cloud database containing hundreds of millions of customer records and internal logs for cosmetic giant Estée Lauder has been found exposed online, according to researchers.
In all, 440,336,852 individual data pieces were exposed, according to researcher Jeremiah Fowler at Security Discovery. Many of the records importantly contained plaintext email addresses (including internal email addresses from the @estee.com domain). There were also reams of logs for content management systems (CMS) and middleware activity. Fortunately, there was no payment data or sensitive employee information included in the records that Fowler saw.
“This company has been a household name for over 70 years and had an annual revenue of $14.863 billion in 2019 – [so] it seems logical that there would be a large dataset associated with the business,” Fowler wrote in a report on his discovery, published Tuesday. He added that while he saw that there were “massive” numbers of consumer email addresses involved, he didn’t calculate the total number because he immediately pivoted to notifying the company.
“I can only speculate or assume that the email addresses were from digital commerce or online sales,” he said.
As for the other data, most of it could be used as reconnaissance for a larger network attack, Fowler noted. The logs for instance contained IP addresses, ports, pathways and storage information that could be used to map out the company’s internal LAN or WAN; and, middleware used by the company to connect different data-generating software packages was also detailed.
Middleware typically handles tasks like providing a consistent front-end for data management across different internal systems; application services; messaging; authentication; and API management.
“Middleware can create a secondary path for malware, through which applications and data can be compromised,” Fowler explained. “In this instance, anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network.”
After making several phone calls and sending several emails over the course of a few hours, Fowler was able to get a message through to the security team at Estée Lauder, and the database was closed the same day. It’s unclear how long the Estée Lauder database was exposed or who else may have accessed the records during that time, he noted, so customers should be on the alert for phishing emails.
“This an example of how a simple error such as setting permissions on a shared drive or a database can have significant consequences,” said Erich Kron, security awareness advocate at KnowBe4, via email. However, he praised the company for its quick action: “This is also a lesson in how large organizations can improve on the process of reporting potential data exposure quickly in order to rapidly resolve the issue, especially in the modern electronic age where millions of records can be stored in a single place and be accessed from nearly anywhere in the world. I give Estée Lauder credit for quickly resolving the issue once they were informed about it, as many organizations move far too slowly in this respect.”
Misconfigured, internet-exposed databases continue to be a common problem, including for very big, brand-name companies with years’ worth of data. In January for instance, it was revealed that misconfigured Microsoft cloud databases containing 14 years of customer support logs had exposed 250 million records to the open internet for 25 days. The account info dates back as far as 2005 and is as recent as December 2019 — and exposes Microsoft customers to phishing and tech scams.
Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.