Estée Lauder, a cosmetics company’s database was exposed and a data leak occurred. Nearly 440 million records in this company’s database were exposed, including a large number of logs and email addresses.
On January 30, 2020, Jeremiah Fowler, a security researcher at Security Discovery, discovered the database exposed on the Internet and immediately contacted the cosmetics company after confirming the authenticity of the information in the database. In addition to the user’s email address in plain text, the database also contains internal email addresses within the @estee.com domain name. In addition, production logs, audit logs, error logs, content management system logs, middleware logs, and other internal files can be easily accessed. Details such as IP addresses, ports, paths, and storage were also exposed, which may provide criminals with further access to the company’s network.
Fortunately, there is no payment data and sensitive employee information in the database. However, it is not yet possible to confirm the number of users’ e-mail addresses exposed, and whether any bad guys have accessed the database.