Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Beauty and the Breach: Estée Lauder Exposes 440 Million Records in Unprotected Database

Customer Data Not Impacted, But Records Exposed Sensitive Details on Some IT Infrastructure and Applications 

Customer Data Not Impacted, But Records Exposed Sensitive Details on Some IT Infrastructure and Applications 

Cosmetic company Estée Lauder exposed 440 million records to the Internet in a database that was left accessible without proper protection, a security researcher says.

Headquartered in New York, Estée Lauder sells products in more than 135 countries and territories. The Estée Lauder Companies owns multiple internationally renowned brands. 

The exposed database was discovered on January 30 by Security Discovery security researcher Jeremiah Fowler, who attempted to contact Estée Lauder immediately after identifying user email addresses in the database. 

Estée Lauder told SecurityWeek that no consumer data was affected in the incident.

In total, 440,336,852 records were inadvertently exposed to the Internet, including audit logs containing a large number of email addresses in each document. 

The exposed data, Fowler says, included user email addresses in plain text. Internal email addresses from the domain were also present in the database. 

Additionally, there were production, audit, error, CMS, and middleware logs left widely accessible to anyone with an Internet connection. References to reports and other internal documents were also found in the database. 

Details such as IP addresses, ports, pathways, and storage details were exposed as well, potentially providing cybercriminals with access deeper into the company’s network. 

The security researcher notes that the database contained “millions of records pertaining to middleware” that Estée Lauder is using. 

Software that provides services and capabilities outside of what the operating system has to offer, middleware commonly handles data management, application services, messaging, authentication, and API management, Fowler explains

“Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised. In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network,” the researcher says. 

Fowler, who says that the database was secured before he could investigate further, believes that no payment data or sensitive employee information was stored in the database. 

What the researcher could not determine was the number of user email addresses exposed in the database and for how long the data was exposed to the Internet. It’s also unclear whether the data was accessed by threat actors or not. 

“On 30 January, 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet. This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data. The Estee Lauder Companies takes data privacy and security very seriously. As soon as we became aware, we took immediate action to secure the data and notify appropriate parties,” Estee Lauder Companies said, responding to a SecurityWeek inquiry.

*updated with statement from Estee Lauder and clarifications that no consumer data was affected

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.