Security Experts:

Beauty and the Breach: Estée Lauder Exposes 440 Million Records in Unprotected Database

Customer Data Not Impacted, But Records Exposed Sensitive Details on Some IT Infrastructure and Applications 

Cosmetic company Estée Lauder exposed 440 million records to the Internet in a database that was left accessible without proper protection, a security researcher says.

Headquartered in New York, Estée Lauder sells products in more than 135 countries and territories. The Estée Lauder Companies owns multiple internationally renowned brands. 

The exposed database was discovered on January 30 by Security Discovery security researcher Jeremiah Fowler, who attempted to contact Estée Lauder immediately after identifying user email addresses in the database. 

Estée Lauder told SecurityWeek that no consumer data was affected in the incident.

In total, 440,336,852 records were inadvertently exposed to the Internet, including audit logs containing a large number of email addresses in each document. 

The exposed data, Fowler says, included user email addresses in plain text. Internal email addresses from the domain were also present in the database. 

Additionally, there were production, audit, error, CMS, and middleware logs left widely accessible to anyone with an Internet connection. References to reports and other internal documents were also found in the database. 

Details such as IP addresses, ports, pathways, and storage details were exposed as well, potentially providing cybercriminals with access deeper into the company’s network. 

The security researcher notes that the database contained “millions of records pertaining to middleware” that Estée Lauder is using. 

Software that provides services and capabilities outside of what the operating system has to offer, middleware commonly handles data management, application services, messaging, authentication, and API management, Fowler explains

“Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised. In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network,” the researcher says. 

Fowler, who says that the database was secured before he could investigate further, believes that no payment data or sensitive employee information was stored in the database. 

What the researcher could not determine was the number of user email addresses exposed in the database and for how long the data was exposed to the Internet. It’s also unclear whether the data was accessed by threat actors or not. 

“On 30 January, 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet. This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data. The Estee Lauder Companies takes data privacy and security very seriously. As soon as we became aware, we took immediate action to secure the data and notify appropriate parties,” Estee Lauder Companies said, responding to a SecurityWeek inquiry.

*updated with statement from Estee Lauder and clarifications that no consumer data was affected

view counter