Pierluigi Paganini February 12, 2020

A security expert discovered that the Cosmetic firm Estée Lauder exposed 440 million records online in a database that was left unsecured.

The security expert Jeremiah Fowler discovered an unsecured database belonging to the Cosmetic firm Estée Lauder that contained 440,336,852 records.

Estée Lauder is an American multinational manufacturer and marketer of prestige skincare, makeup, fragrance and hair care products, it owns multiple brands, distributed internationally through both digital commerce and retail channels.

Fowler discovered the unsecured database on January 30 and attempted to report its discovery to the company. 

“On January 30th I discovered a non-password protected database that contained a massive amount of records totaling 440,336,852. Upon further review I was able to see connections to New York based cosmetic company Estée Lauder.” reads the post published by the researcher. “I could see audit logs that contained a large number of email addresses in each document. I immediately sent a responsible disclosure notice Estée Lauder alerting them to the exposure.”

The exposed data included user email addresses in plain text, the archive also contained Internal email addresses from the @estee.com domain. 

The archive included audit logs containing a large number of email addresses in each document. 

The archive also contained technical information, including IP addresses, ports, and paths, that could be used by attackers to gather intelligence on the company infrastructure.

“There were millions of records pertaining to middleware that is used by the Estée Lauder company. Middleware is software that provides common services and capabilities to applications outside of what’s offered by the operating system.” continues the post. “Data management, application services, messaging, authentication, and API management are all commonly handled by middleware. Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised.”

Fowler warns that the exposure of middleware records could allow attackers to create a secondary path for malware.

The good news is that the database was rapidly secured, no payment data or sensitive employee information was apparently stored in the archive. 

At the time it is not clear how many email addresses were exposed in the database and for how long the data was exposed online. The expert also remarked that it is not clear whether the data was accessed by third parties, including threat actors or not. 

“It is unclear exactly how many “user” email addresses were exposed. It is also unclear how long the Estée Lauder database was exposed or who else may have accessed the records.” concluded the post.

Pierluigi Paganini

(SecurityAffairs – Data Leak, Estée Lauder)

[adrotate banner=”5″]

[adrotate banner=”13″]