The Brazil cosmetics company that bought Avon Products Inc. in January accidentally exposed personal information about 250,000 of its customers that could have been accessed by anyone, The Hacker News reported.
Natura & Co., based in Sao Paulo, inadvertently left hundreds of gigabytes of its customers’ personal and payment-related information publicly available online.
Anurag Sen, a researcher at SafetyDetective, discovered two unprotected Amazon-hosted servers last month which belong to Natura and consisted of more than 192 million records.
Sen told The Hacker News that the exposed data included account login cookies and archives containing data from the servers and users.
The leaked information also includes online payment account details with access for nearly 40,000 wirecard.com.br users who integrated it with their Natura accounts, the report said.
“Around 90 percent of users were Brazilian customers, although other nationalities were also present, including customers from Peru,” Sen told The Hacker News. “The compromised server contained website and mobile site API logs, thereby exposing all production server information. Furthermore, several Amazon bucket names were mentioned in the leak, including PDF documents referring to formal agreements between various parties.”
The leaked information includes name, mother’s maiden name, date of birth, nationality, gender, username and nicknames, recent purchases, phone number, and email and home addresses.
In addition, the vulnerable server also had a secret Privacy Enhanced Mail (PEM) file that contained the password to an Amazon cloud-based server where the Natura website is hosted. If exploited, The Hacker News said, it potentially could have allowed attackers to place a digital skimmer into the company’s official website to steal users' payment card details in real time.
“Exposed details about the backend, as well as keys to servers, could be leveraged to conduct further attacks and allow deeper penetration into existing systems,” Sen told the outlet.
SafetyDetective said it reported its findings to Natura in April but did not receive a response. The company then contacted Amazon, which asked Natura & Co. to secure the two servers, The Hacker News reported. SafetyDetective said Natura customers should be vigilant against identity theft, change their account passwords and keep a close eye on their payment card transactions for signs of any suspicious activity.
“The risk of phishing and phone scams is also raised by the Natura data leak,” Sen said, according to the report.