The security expert Jeremiah Fowler discovered an unsecured database belonging to the Cosmetic firm Estée L
Fowler discovered the unsecured database on January 30 and attempted to report its discovery to the company.
“On January 30th I discovered a non-password protected database that contained a massive amount of records totaling 440,336,852. Upon further review I was able to see connections to New York based cosmetic company Estée Lauder.” reads the post published by the researcher. “I could see audit logs that contained a large number of email addresses in each document. I immediately sent a responsible disclosure notice Estée Lauder alerting them to the exposure.”
The exposed data included user email addresses in plain text, the archive also contained Internal email addresses from the @estee.com domain.
The archive included audit logs containing a large number of email addresses in each document.
The archive also contained technical information, including IP addresses, ports, and paths, that could be used by attackers to gather intelligence on the company
“There were millions of records pertaining to middleware that is used by the Estée Lauder company. Middleware is software that provides common services and capabilities to applications outside of what’s offered by the operating system.” continues the post. “Data management, application services, messaging, authentication, and API management are all commonly handled by
Fowler warns that the exposure of middleware records could allow attackers to create a secondary p
The good news is that the database was rapidly secured, no p
At the time it is not clear how many email addresses were exposed in the database and for how long the data was exposed online. The expert also remarked that it is not clear whether the data was accessed by third parties, including threat actors or not.
“It is unclear exactly how many “user” email addresses were exposed. It is also unclear how long the Estée L