The security expert Jeremiah Fowler discovered an unsecured database belonging to the Cosmetic firm Estée L
Fowler discovered the unsecured database on January 30 and attempted to report its discovery to the company.
“On January 30th I discovered a non-password protected database that contained a massive amount of records totaling 440,336,852. Upon further review I was able to see connections to New York based cosmetic company Estée Lauder.” reads the post published by the researcher. “I could see audit logs that contained a large number of email addresses in each document. I immediately sent a responsible disclosure notice Estée Lauder alerting them to the exposure.”
The exposed data included user email addresses in plain text, the archive also contained Internal email addresses from the @estee.com domain.
The archive included audit logs containing a large number of email addresses in each document.
The archive also contained technical information, including IP addresses, ports, and paths, that could be used by attackers to gather intelligence on the company
“There were millions of records pertaining to middleware that is used by the Estée Lauder company. Middleware is software that provides common services and capabilities to applications outside of what’s offered by the operating system.” continues the post. “Data management, application services, messaging, authentication, and API management are all commonly handled by
Fowler warns that the exposure of middleware records could allow attackers to create a secondary p
The good news is that the database was rapidly secured, no p
At the time it is not clear how many email addresses were exposed in the database and for how long the data was exposed online. The expert also remarked that it is not clear whether the data was accessed by third parties, including threat actors or not.
“It is unclear exactly how many “user” email addresses were exposed. It is also unclear how long the Estée L
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.