Researchers discover leak of personal data of millions Yves Rocher customers

by Brendan Smith
September 4, 2019

Yves Rocher, a company specializing on manufacturing of cosmetic products, reported the leak of personal data of millions of customers.

In addition to private individuals, the company itself suffered as well cause were compromised confidential internal documents.

Such unpleasant consequences were caused by a database located on the Web without a password. A third-party consultant who left the database open is suspected of neglecting important data.

VpnMentor experts said this week that an unprotected Elasticsearch server belonging to Aliznet was found on the Internet. It is the latter that provides services to such large corporations as IBM, Salesforce, Sephora and Louboutin.

Yves Rocher company data was also stored on the server – the cosmetic giant also collaborates with Aliznet. Most importantly, the server “dumped” personal data of millions Yves Rocher customers.

“The most negative consequences, of course, will fall on Aliznet – large companies with a worldwide reputation trusted her their confidential information. Moreover, Aliznet may well have at its disposal yet another such server, merging the data of other large clients”, — the researchers write.

According to experts, they were able to access the personal data of 2.5 million customers of the cosmetic company. Full names, phone numbers, email addresses, dates of birth – all this was present in the database.

Read also: Google recommends updating Chrome due to vulnerability in Blink engine

In addition, researchers were able to view orders from about six million cosmetics users from Yves Rocher. Each such order contained a unique identifier.

“For each order, we were able to view the transaction amount, currency used, delivery date, and the location of the store where the order was placed. The order records also included the full name of the employee who processed each order, along with their employee ID. Each order is also linked with a unique customer ID. Using the leaked Yves Rocher customer records, we were able to identify the individual who placed each order through their customer ID”, — reports Noam Rotem from vpnMentor.

It is currently unknown whether the company has taken measures to protect its database. Aliznet and Yves Rocher have not yet commented on the incident.

Advice from the Experts:

This data leak could have been easily prevented with some very basic security measures. At a minimum, you should always make sure to follow these security practices:

  • Secure your servers
  • Implement appropriate access rules
  • Require authentication to access all systems

Leaving an unsecured system open to the internet is never a good idea, even if you don’t think it contains sensitive information.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Cybersecurity analyst with 15+ years digging into malware and threats, from early days reverse-engineering trojans to leading incident responses for mid-sized firms.

At Gridinsoft, I handle peer-reviewed breakdowns of stuff like AsyncRAT ransomware—last year, my guides helped flag 200+ variants in real scans, cutting cleanup time by 40% for users. Outside, I write hands-on tutorials on howtofix.guide, like step-by-step takedowns of pop-up adware using Wireshark and custom scripts (one post on VT alternatives got 5k reads in a month).

Certified CISSP and CEH, I’ve run webinars for 300+ pros on AI-boosted stealers—always pushing for simple fixes that stick, because nobody has time for 50-page manuals. Tools of the trade: Splunk for hunting, Ansible for automation, and a healthy dose of coffee to outlast the night shifts.

View all posts

Leave a Reply

Sending