A cloud database of cosmetics giant Estée Lauder was open to third parties for a long time, making the data of millions of customers available free of charge. Cyber security researcher Jeremiah Fowler of Security Discovery discovered the unprotected customer database.

The data was found as flat text, so no additional steps were required to decrypt the information. It included email addresses and data from local content management systems (CMS). No payment or sensitive employee information was found, but 440 million records offer criminals a lot of opportunities for e.g. identity fraud.

“This company has been a household name for over 70 years and had an annual revenue of 14.863 billion dollars in 2019 – it seems logical that there would be a large dataset associated with the business,” Fowler stated.

In short, the dataset was simply not protected. Fowler also added that he hasn’t yet identified exactly how many different people can be found in the database, as he wanted to hurry to report the data breach to the company. However, with 440 million records, it doesn’t seem far-fetched to speak of millions of users. Estée Lauder locked the database within 24 hours of Fowler’s warning, but it is not exactly clear how long the data had actually been exposed.

Risks

In addition to identity fraud, internal email addresses can also be used for phishing attacks. For example, hackers can impersonate team members and then get employees to download malware. IP addresses, ports, pathways and storage information can also be used to explore the company’s internal network, with subsequent criminal possibilities.