Global cosmetics brand Avon has become the latest company to suffer from server misconfigurations, leading to a massive data leak.
On Tuesday, July 28, cyber security researchers at SafetyDetectives revealed they discovered an Elasticsearch database belonging to the cosmetic giant on an Azure server, with no password or encryption.
According to the team, the unprotected server exposes a total of 19 million records, including personal information and technical logs of the company site.
“Our Security team, led by Anurag Sen, discovered Avon.com’s US server without encountering any security measures or protection. The vulnerability effectively means that anyone possessing the server’s IP-address could access the company’s open database,” the researchers revealed on a blog report.
Among the personal details accessible in the unprotected server include full names, phone numbers, dates of birth, email addresses, home addresses, and GPS coordinates of Avon customers. Names of company employees are also suspected to had been exposed, along with administrator user emails.
Moreover, the production server details of Avon.com were also found in the server. This includes security tokens, OAuth tokens, internal logs, and account settings. According to the researchers, exposure to the said data leaves Avon’s IT infrastructure vulnerable to possible attacks orchestrated by malicious hackers.
“Given the type and amount of sensitive information made available, hackers would be able to establish full server control and conduct severely damaging actions that permanently damage the Avon brand; namely, ransomware attacks and paralyzing the company’s payments infrastructure,” the researchers explained.
According to them, the initial investigation led the team to the discovery of about 6GB of data in the misconfigured server. However, further research increased this initial count to over 7GB of data, with over 19 million document records in total.
“According to our Security team, Avon.com’s cybersecurity vulnerability first surfaced on 3 June 2020 and was subsequently discovered by our operatives on 12 June 2020. Following the discovery, our team made direct contact with Avon representatives with the company able to secure the server shortly thereafter,” the researchers added.
Interestingly, even before the team reached out to the cosmetic giant, a statement from Avon dated June 9, 2020, revealed that an incident had “interrupted some systems and partially affected operations” of the company. Days later, Avon clarified in a second regulatory filing that no financial data has been impacted on the incident.
Founded in 1886, Avon works as a seller of skincare, cosmetics, fragrance, and personal care products. According to Infosecurity, the cosmetic brand “boasts over $5.5bn in annual worldwide sales.”