Last month, SafetyDetectives researchers discovered an unsecured database belonging to the popular Avon beauty company. The server, which lacked basic security measures, was easily accessible by investigators, who found a trove of 19 million records, including personal information of employees and website technical data.
While the news might not strike a chord at first, the data breach disclosure follows a June 9 regulatory filing by the company, which confirmed a security incident that “interrupted some systems and partially affected operations.”
On June 12, Avon Products submitted a second regulatory filing stating that, “after suffering the cyber incident communicated on June 9, 2020” they are “planning to restart some of its affected systems in the impacted markets throughout the course of next week.”
“Avon is continuing the investigation to determine the extent of the incident, including potential compromised personal data,” the report said. “Nevertheless, at this point it does not anticipate that credit card details were likely affected, as its main ecommerce website does not store that information.”
A third update said the company “reestablished most its operating systems and resumed operations in most of its markets, including the majority of its distribution centers.”
SafetyDetectives speculate that the statements are not linked to the data breach discovered by their team.
The investigator’s report released on July 28 says the unprotected Avon.com server contained API logs for both web and mobile website, meaning that all production server information along with sign-in and refresh OAuth tokens were exposed.
The database contained over 7GB of data such as personal identifiable information and non-personal technical information:
• Names, phone numbers, date of birth and physical address
• Email addresses, GPS coordinates, last payment amounts
• Names of company employees (not confirmed)
• Administrator user emails
• More than 40,000 security tokens
• OAuth tokens and internal logs
• Account settings and server information
Moreover, the leaked data contained sensitive information such as PIN codes sent by SMS. The leaked internal logs could even be used to attack Avon’s IT infrastructure.
“Hackers could potentially harness the server to mine cryptocurrency, plant malware or conduct ransomware attacks upon the server owners,” the researchers added.
Even though there is not enough evidence to link the initial security incident reported by Avon with this data leak, precautionary measures should be taken.
Employees and Avon customers should inspect their online accounts and reset their passwords. Although the company has secured its leaky server, the possibility of malicious access to the open database can’t be excluded.
As a quick side note, Brazil’s Natura & Co Cosmetics, which acquired a 76% stake in Avon, also suffered a similar security incident, in April 2020, when the personal identifiable information (PII) of more than 190 million customers was found completely unprotected on two US-based Amazon servers. However, unlike Avon’s data leak, Natura’s servers contained the payment information of 40,000 shoppers.