Cosmetics giant Yves Rocher suffered a data leak which revealed millions of personal information on its customers. The international cosmetics brand reportedly experienced the leak due to third-party error and an unprotected database server.
According to Threatpost, the third-party consultant left a database unprotected, resulting in compromised customer information. The information affected by the leak includes first and last names, email addresses, date of birth, and zip codes. Compromised information also contained phone numbers of customers.
In total, approximately 2.5 million Canadian customers became affected by the unprotected database. However, researchers who reported on the vulnerability were able to access more than 6 million customer orders under the cosmetics giant. Threatpost revealed that each of these orders was linked to customer IDs, thus identifying individuals who placed these orders.
vpnMentor researchers disclosed that the unprotected server belonged to Aliznet. Besides Yves Rocher, Aliznet provides services to other companies such as Sephora, Louboutin, IBM, and Salesforce.
Apart from the customer information, Yves Rocher confidential data were also found on the server. Based on the report, employee profiles, promotional materials, client feedback and success stories also remained accessible to potential attackers. Information on internal store traffic, turnover, and product descriptions, prices, and promo code offers are also found in the database.
Researchers also accessed the API interface of the company created by Aliznet. Based on Threatpost’s article, the API links to databases which contained consumer information, such as addresses and order histories.
Researchers say attackers may gain access to the system only by using an employee ID and login code. Furthermore, researchers said, “this tool [could] tamper with data related to customers, products, stores, and more.”
In a blog posted last Monday, September 2, 2019, vpnMentor researchers alerted the French company their Elasticsearch server remained unprotected. The blog post raised security issues and concerns which might have affected other servers under Aliznet.
As of writing, both Yves Rocher and Aliznet failed to issue a statement on the incident. There are no new findings and updates on the security and protection of the database.
Repercussions of the Incident
Unprotected servers and exposed information may not only mean a loss of business for Aliznet and other third-party consultants. This could also lead to attackers, particularly industry competitors, mining data on these databases and using it for their advantage. Moreover, such an incident could lead to a lack of trust and confidence from current Aliznet clients and future partners.