WizCase’s security team, led by Ata Hakçıl, has found a major breach in popular online retailer Cosmolog Kozmetik’s database. This breach exposed users’ names, email addresses, physical addresses, phone numbers, order details, and more.
Hundreds of thousands of users were compromised in the breach. There was no need for a password or login credentials to access this information, and the data was not encrypted.
What’s Happening?
Cosmolog Kozmetik is a Turkish online retailer and operates on almost all of the major Turkish e-commerce platforms including Trendyol, Hepsiburada, and Unishop. They are owned by Gercek Kozmetik. The company primarily deals in the sale and shipping of beauty products such as skincare and perfume. They also sell other goods under the name “Marketlog.”
Our team of ethical cyber researchers discovered an exposed Amazon S3 bucket belonging to the retailer containing over 9500 files and totalling almost 20GB of data. We tried to reach out to Cosmolog Kozmetik several times but received no response. We contacted the Turkish CERT as well as Amazon (hosting) a few times. At the time of writing, Cosmolog’s website wasn’t accessible.
What Data Was Exposed?
Pictured: An order registry with Personally Identifying Information redacted.
Pictured: An order registry from different websites with Personally Identifying Information redacted.
Cosmolog Kozmetik’s data breach made accessible over 5400 Excel files which exposed over 637,000 unique orders made by over 567,000 unique users on multiple e-commerce websites. The leaked order records revealed customers’ names, surnames, physical addresses, and purchase details such as items purchased and quantity of items. However, no payment information such as credit card numbers were found in the data breach.
In some cases, users’ phone numbers and email addresses were exposed too. The user details exposed were dependent on the platform the customer used to purchase items from Cosmolog Kozmetik. The amount of data available by user varies according to what the sites were sharing with Cosmolog. Below is a table of platforms the company operated on and what details were exposed on which platform:
Website | Names and Surnames | Physical Address | Email Address | Phone Number | Payment Information |
Cosmolog’s Website | Yes | Yes | Yes | Yes | No |
Unishop Unilever | Yes | Yes | Yes | Yes | No |
N11 | Yes | Yes | Yes | Yes | No |
GittiGidiyor | Yes | Yes | Yes | Yes | No |
Hepsiburada | Yes | Yes | Yes | No | No |
Trendyol | Yes | Yes | No | No | No |
The orders were being updated frequently. The oldest files dated back to September 2019 and the earliest were being updated and the earliest were still being updated as we discovered the breach. The bucket also contained over 4000 images, almost all of them being product pictures from their website, while others were pictures from cancelled orders (mostly damaged goods) taken by Cosmoslog’s staff.
Cosmolog’s parent company, Gercek Kozmetik, has a close relationship with Unishop’s parent company, Unilever. Cosmolog is even listed as a co-responsible on Unishop’s privacy page. This is why there was more information exposed from Unishop than from, say, Hepsiburada and Trendyol.
Pictured: Screenshots of Unishop’s privacy policy with Cosmolog listed as a co-responsible in both Turkish and English.
The greater danger of this breach comes from Cosmolog Kozmetik’s use of multiple e-commerce platforms. Many users on these Turkish sites don’t check the name of the seller when purchasing goods and might not be aware of their exposure. If you purchased goods from Turkish platforms such as Trendyol or Hepsiburada, it is important you check who sold you those products. If you bought any Cosmolog Kozmetik or Marketlog products, you might be at risk.
About the author:
Cybersecurity Research Team
If you want more details about the risks and on how to protect yourself give a look at the original post:
https://www.wizcase.com/blog/cosmolog-breach-report/
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, data breach)
[adrotate banner=”5″]
[adrotate banner=”13″]