Yves Rocher, a company specializing on manufacturing of cosmetic products, reported the leak of personal data of millions of customers.
In addition to private individuals, the company itself suffered as well cause were compromised confidential internal documents.Such unpleasant consequences were caused by a database located on the Web without a password. A third-party consultant who left the database open is suspected of neglecting important data.
VpnMentor experts said this week that an unprotected Elasticsearch server belonging to Aliznet was found on the Internet. It is the latter that provides services to such large corporations as IBM, Salesforce, Sephora and Louboutin.
Yves Rocher company data was also stored on the server – the cosmetic giant also collaborates with Aliznet. Most importantly, the server “dumped” personal data of millions Yves Rocher customers.
“The most negative consequences, of course, will fall on Aliznet – large companies with a worldwide reputation trusted her their confidential information. Moreover, Aliznet may well have at its disposal yet another such server, merging the data of other large clients”, — the researchers write.
According to experts, they were able to access the personal data of 2.5 million customers of the cosmetic company. Full names, phone numbers, email addresses, dates of birth – all this was present in the database.
Read also: Google recommends updating Chrome due to vulnerability in Blink engine
In addition, researchers were able to view orders from about six million cosmetics users from Yves Rocher. Each such order contained a unique identifier.
“For each order, we were able to view the transaction amount, currency used, delivery date, and the location of the store where the order was placed. The order records also included the full name of the employee who processed each order, along with their employee ID. Each order is also linked with a unique customer ID. Using the leaked Yves Rocher customer records, we were able to identify the individual who placed each order through their customer ID”, — reports Noam Rotem from vpnMentor.
It is currently unknown whether the company has taken measures to protect its database. Aliznet and Yves Rocher have not yet commented on the incident.
Advice from the Experts:
This data leak could have been easily prevented with some very basic security measures. At a minimum, you should always make sure to follow these security practices:
- Secure your servers
- Implement appropriate access rules
- Require authentication to access all systems
Leaving an unsecured system open to the internet is never a good idea, even if you don’t think it contains sensitive information.