Security Researcher Finds Emails and Internal Company IT Logs Were Accessible
An unsecured, internet-facing database belonging to cosmetic giant Estée Lauder exposed over 440 million company records, including email addresses and IT logs, according to a report from a security researcher who discovered it.
The database, which was hosted on the company’s Microsoft Azure cloud platform, has since been secured and password protected, says Jeremiah Fowler, a security researcher with Security Discovery, which provides research and consulting services. It’s not clear how long the database may have been exposed or if anyone accessed any of the data, Fowler adds.
Fowler first discovered the exposed database on Jan. 31. He says it contained a wealth of Estée Lauder data, including:
- User emails stored in plain text, including internal email addresses from the @estee.com domain;
- Numerous internal IT logs, including production, audit, error, content management system and middleware reports;
- References to reports and other internal documents;
- References to IP address, ports, pathways and storage used within the company.
“To the best of my knowledge, the database did not contain payment data or sensitive employee information based on what I personally saw,” Fowler notes in a Tuesday blog post.
Estée Lauder, which is based in New York, could not be reached for comment. A company spokesperson, however, told Forbes: “This education platform was not consumer-facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data.”
But Fowler says that many of the email address he saw in the database appeared to be connected to customers and employees. He adds that the company’s statement sent to him and Forbes, which noted that the data was “temporarily accessible,” also raises security concerns.
“I was able to validate the emails were connected to real people,” Fowler tells Information Security Media Group. “Also, the middleware logs contained IP addresses and device information of what I can assume were visitors to their site, stores or other areas of their network. This is yet another wake-up call for companies to encrypt data – and that includes logs and ‘educational platforms.'”
Over the past several years, the discovery of unprotected cloud-based databases has turned into a cottage industry, with security researchers discovering new examples every month.
Earlier this week, reports surfaced that Israel’s entire voter registration database – comprising close to 6.5 million people – was exposed to the internet because of an elementary coding flaw in an election application (see: Coding Flaw Exposes Voter Details for 6.5 Million Israelis).
In December, over 4 terabytes of data affecting 1.2 billion people was exposed to the internet on an unsecured Elasticsearch server (see: Unsecured Server Exposed Records of 1.2 Billion: Researchers).
“Database misconfiguration is often overlooked, so it’s crucial that IT teams understand their environment and know where the data is being stored so that they are able to identify any vulnerabilities easily and issue a patch update where required,” Francis Gaffney, director of threat intelligence at security firm Mimecast, tells ISMG.
Gaffney suggests companies that are using cloud-based tools take additional security measures, such as penetration testing, to help identify and flag issues. “You only have to look at organizations that have suffered from large-scale breaches previously to see the reputational impact that they have suffered,” he says.