Cosmetic company Estée Lauder exposed 440 million records to the Internet in a database that was left accessible without proper protection, a security researcher says.
Headquartered in New York, Estée Lauder sells products in more than 135 countries and territories. The Estée Lauder Companies owns multiple internationally renowned brands.
The exposed database was discovered on January 30 by Security Discovery security researcher Jeremiah Fowler, who attempted to contact Estée Lauder immediately after identifying user email addresses in the database.
In total, 440,336,852 records were inadvertently exposed to the Internet, including audit logs containing a large number of email addresses in each document.
The exposed data, Fowler says, included user email addresses in plain text. Internal email addresses from the @estee.com domain were also present in the database.
Additionally, there were production, audit, error, CMS, and middleware logs left widely accessible to anyone with an Internet connection. References to reports and other internal documents were also found in the database.
Details such as IP addresses, ports, pathways, and storage details were exposed as well, potentially providing cybercriminals with access deeper into the company’s network.
The security researcher notes that the database contained “millions of records pertaining to middleware” that Estée Lauder is using.
Software that provides services and capabilities outside of what the operating system has to offer, middleware commonly handles data management, application services, messaging, authentication, and API management, Fowler explains.
“Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised. In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network,” the researcher says.
Fowler, who says that the database was secured before he could investigate further, believes that no payment data or sensitive employee information was stored in the database.
What the researcher could not determine was the number of user email addresses exposed in the database and for how long the data was exposed to the Internet. It’s also unclear whether the data was accessed by threat actors or not.
SecurityWeek has contacted Estée Lauder for additional information on the exposure and will update the article when a response arrives.