Security Discovery Specialist Jeremiah Fowler toldthat on January 30, 2020, he managed to find in the open access database of the perfumery and cosmetic company Estée Lauder, containing a total of 440 336 852 entries.
An unprotected database contained a wide variety of information, including audit logs (with a large number of email addresses in each); production, error, CMS, and middleware logs user email addresses in plain text; internal company email addresses (domain @ estee.com). But there were no data on payments or confidential information about employees in the database.
Links to reports and other internal documents of Estée Lauder were also discovered by an expert, along with details such as IP addresses, ports, paths and storage data. That is, in the public domain, potentially useful data for cybercriminals were available that could penetrate the company’s network.
Fowler stresses that the database contained “millions of records related to middleware,” which could be extremely dangerous.
“Middleware can create workarounds for the malware, through which applications and data can be compromised. In this case, anyone who has an Internet connection can see the ways, find out which versions or assemblies are used, as well as other information that can serve as a backdoor for penetrating the network (of the company), ”the expert writes.
Currently, Estée Lauder specialists have already fixed the problem and assure that they have not found any evidence of the unauthorized use of this data temporarily available to everyone.