Unsecured Estee Lauder Database Exposed 440 Million RecordsSecurity Researcher Finds Emails and Internal Company IT Logs Were Accessible
(This story has been updated)
An unsecured, internet-facing database belonging to cosmetic giant Estée Lauder exposed over 440 million company records, including email addresses and IT logs, according to a report from a security researcher who discovered it.
The database, which was hosted on the company's Microsoft Azure cloud platform, has since been secured and password protected, says Jeremiah Fowler, a security researcher with Security Discovery, which provides research and consulting services. It's not clear how long the database may have been exposed or if anyone accessed any of the data, Fowler adds.
Fowler first discovered the exposed database on Jan. 31. He says it contained a wealth of Estée Lauder data, including:
- User emails stored in plain text, including internal email addresses from the @estee.com domain;
- Numerous internal IT logs, including production, audit, error, content management system and middleware reports;
- References to reports and other internal documents;
- References to IP address, ports, pathways and storage used within the company.
"To the best of my knowledge, the database did not contain payment data or sensitive employee information based on what I personally saw," Fowler notes in a Tuesday blog post.
On Thursday, a spokesperson for Estée Lauder, which is based in New York, issued a statement about the incident to ISMG.
"On 30 January, 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet," the spokesperson says. "This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data. The Estée Lauder Companies takes data privacy and security very seriously. As soon as we became aware, we took immediate action to secure the data and notify appropriate parties."
But Fowler says that many of the email address he saw in the database appeared to be connected to customers and employees. He adds that the company's statement sent to him, which noted that the data was "temporarily accessible," also raises security concerns.
"I was able to validate the emails were connected to real people," Fowler tells Information Security Media Group. "Also, the middleware logs contained IP addresses and device information of what I can assume were visitors to their site, stores or other areas of their network. This is yet another wake-up call for companies to encrypt data - and that includes logs and 'educational platforms.'"
Over the past several years, the discovery of unprotected cloud-based databases has turned into a cottage industry, with security researchers discovering new examples every month.
Earlier this week, reports surfaced that Israel's entire voter registration database - comprising close to 6.5 million people - was exposed to the internet because of an elementary coding flaw in an election application (see: Coding Flaw Exposes Voter Details for 6.5 Million Israelis).
In December, over 4 terabytes of data affecting 1.2 billion people was exposed to the internet on an unsecured Elasticsearch server (see: Unsecured Server Exposed Records of 1.2 Billion: Researchers).
"Database misconfiguration is often overlooked, so it's crucial that IT teams understand their environment and know where the data is being stored so that they are able to identify any vulnerabilities easily and issue a patch update where required," Francis Gaffney, director of threat intelligence at security firm Mimecast, tells ISMG.
Gaffney suggests companies that are using cloud-based tools take additional security measures, such as penetration testing, to help identify and flag issues. "You only have to look at organizations that have suffered from large-scale breaches previously to see the reputational impact that they have suffered," he says.