Researchers discover leak of personal data of millions Yves Rocher customers

by Brendan Smith
September 4, 2019
Data leak in Yves Rocher
Written by Brendan Smith

Yves Rocher, a company specializing on manufacturing of cosmetic products, reported the leak of personal data of millions of customers.

In addition to private individuals, the company itself suffered as well cause were compromised confidential internal documents.

Such unpleasant consequences were caused by a database located on the Web without a password. A third-party consultant who left the database open is suspected of neglecting important data.

VpnMentor experts said this week that an unprotected Elasticsearch server belonging to Aliznet was found on the Internet. It is the latter that provides services to such large corporations as IBM, Salesforce, Sephora and Louboutin.

Yves Rocher company data was also stored on the server – the cosmetic giant also collaborates with Aliznet. Most importantly, the server “dumped” personal data of millions Yves Rocher customers.

“The most negative consequences, of course, will fall on Aliznet – large companies with a worldwide reputation trusted her their confidential information. Moreover, Aliznet may well have at its disposal yet another such server, merging the data of other large clients”, — the researchers write.

According to experts, they were able to access the personal data of 2.5 million customers of the cosmetic company. Full names, phone numbers, email addresses, dates of birth – all this was present in the database.

Read also: Google recommends updating Chrome due to vulnerability in Blink engine

In addition, researchers were able to view orders from about six million cosmetics users from Yves Rocher. Each such order contained a unique identifier.

“For each order, we were able to view the transaction amount, currency used, delivery date, and the location of the store where the order was placed. The order records also included the full name of the employee who processed each order, along with their employee ID. Each order is also linked with a unique customer ID. Using the leaked Yves Rocher customer records, we were able to identify the individual who placed each order through their customer ID”, — reports Noam Rotem from vpnMentor.

It is currently unknown whether the company has taken measures to protect its database. Aliznet and Yves Rocher have not yet commented on the incident.

Advice from the Experts:

This data leak could have been easily prevented with some very basic security measures. At a minimum, you should always make sure to follow these security practices:

  • Secure your servers
  • Implement appropriate access rules
  • Require authentication to access all systems

Leaving an unsecured system open to the internet is never a good idea, even if you don’t think it contains sensitive information.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

View all posts

Leave a Reply

Sending