A misconfigured cloud server at global cosmetics model Avon was not too long ago identified leaking 19 million documents such as personalized data and specialized logs.
Researchers at SafetyDetectives led by Anurag Sen advised Infosecurity that they found the Elasticsearch database on an Azure server publicly exposed with no password protection or encryption.
“The vulnerability effectively usually means that everyone possessing the server’s IP tackle could accessibility the company’s open up databases,” it defined in a subsequent report.
The London-headquartered agency, which offers around $5.5bn in once-a-year globally product sales, was apparently exposing the 7GB database for nine days right before it was found on June 12.
It contained personally identifiable information and facts (PII) on customers and most likely staff members, which includes total names, phone figures, dates of beginning, email and household addresses, and GPS coordinates. Also integrated in the haul ended up 40,000+ security tokens, OAuth tokens, internal logs, account settings and technological server information.
Even though the PII could have been leveraged to dedicate a broad selection of identification fraud and adhere to-on phishing ripoffs, the uncovered specialized aspects also posed a danger to Avon, in accordance to SafetyDetectives.
“Given the form and quantity of delicate info produced out there, hackers would be able to create full server manage and conduct severely damaging actions that permanently damage the Avon model namely, ransomware assaults and paralyzing the company’s payments infrastructure,” it argued.
Curiously, a June 9 filing with the Securities and Trade Fee unveiled the company experienced endured a “cyber-incident in its facts technology setting which has interrupted some units and partially influenced functions.”
A 2nd submitting on June 12 claimed that the organization was setting up a restart of its methods.
“Avon is continuing the investigation to identify the extent of the incident, which includes possible compromised own details,” it continued. “Nevertheless, at this position it does not foresee that credit rating card facts were being most likely influenced, as its major e-commerce website does not shop that information.”
It is unclear no matter if the incident was joined to this exposed cloud server or not.