PII of 2.5m Yves Rocher customers leaked via unsecured database
Security researchers from vpnMentor recently discovered an unsecured Elasticsearch database that contained personal information of around 2.5 million customers of French cosmetics giant Yves Rocher. The database belonged to a third-party vendor that offers digital transformation solutions to firms such as IBM, Oracle, Yves Rocher, Salesforce, Sephora, and Louboutin.
According to vpnMentor, data found in the unsecured Elasticsearch database contained Personally Identifiable Information (PII) such as first and last names, dates of birth, phone numbers, email addresses, and zip codes of more than 2.5 million customers of Yves Rocher, all of whom are located in Canada.
The unsecured database is owned and managed by Aliznet, a French consulting company which also offers its services to a number of other large companies such as IBM, Oracle, Salesforce, Sephora, and Louboutin.
Data leak compromised millions of customers & company records
A team of researchers led by Noam Rotem and Ran Locar also discovered records of more than six million customer orders for Yves Rocher products in the unsecured database. Each order was accompanied by the transaction amount, the currency used, delivery date, and the location of the store where the order was placed. Using unique Customer IDs, the researchers were able to determine which order was placed by which customer.
Apart from PII and details of customer orders, the researchers also found a variety of internal information related to Yves Rocher such as statistics on store traffic, turnover, and order volumes, product descriptions, and ingredients for over 40,000 retail products, product prices and relevant offer codes.
The researchers also exploited a vulnerability in the Elasticsearch database owned by Aliznet to access the API interface for an application that was used by Yves Rocher employees. The application could be accessed using employee IDs and contained information about the company and its customers.
After analysing the application, the researchers concluded that the app was linked to databases containing customers’ home addresses and purchase histories, that the API explorer could be used to add, delete, or modify data in the company database, and that malicious actors could use the API explorer to tamper with data related to customers, products, stores, and more.
“The data breach exposed full contact details for individual customers of Yves Rocher. Hackers, scammers, and advertisers can easily exploit this information. With access to your address, email addresses, and phone number, malicious parties can create sophisticated phishing schemes and ransomware attacks.
“Once a malicious actor is in control of your cell phone number, they can use it to gain access to your other private accounts that are protected with two-factor authentication. The data breach also exposed records of customer orders of Yves Rocher products. This can be dangerous. Banks and other financial institutions often ask questions about your recent purchases to confirm your identity,” vpnMentor warned.
Commenting on the massive leak of personal records of over 2.5 million Canadian customers of Yves Rocher, Anurag Kahol, CTO at Bitglass, said that there are now tools designed to detect abusable misconfigurations within IT assets like ElasticSearch databases and these tools have grown in popularity as an attack vector across all industries.
“Even companies with limited IT resources must take full responsibility for securing user data – there is no excuse for negligent security practices such as leaving databases exposed. As such, they must turn to flexible, cost-effective solutions that can prevent data leakage; for example, cloud access security brokers (CASBs) that boast features like cloud security posture management (CSPM), data loss prevention (DLP), user and entity behaviour analytics (UEBA), and encryption of data at rest. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe,” he said.
Large amounts of data being stored in unsecured databases
Earlier this year, security researcher Bob Diachenko had discovered an unsecured Elasticsearch database that contained 51GB of data including more than 24 million banking and financial documents, mostly digitised credit and mortgage reports. Data stored in the database could easily be used by any opportunistic cyber criminal to carry out identity fraud, file false tax returns, and avail loans and credit cards in the name of innocent citizens.
“These documents contained highly sensitive data, such as social security numbers, names, phones, addresses, credit history, and other details which are usually part of a mortgage or credit report. This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards,” said Diachenko.
In November last year, Diachenko had also spotted an unprotected ElasticSearch database that contained detailed personal records, including personally identifiable information, of millions of U.S. citizens.
According to Diachenko, the unprotected Elasticsearch database contained first names, last names, employers, job titles, email addresses, home address, state, zip, phone numbers, and IP addresses of 56,934,021 US citizens and another index of the same database containing over 25 million data records including names, company details, zip addresses, carrier routes, latitude/longitudes, census tracts, phone numbers, web addresses, email addresses, employees count, revenue numbers, NAICS codes, and SIC codes.