2 min read

Avon Cosmetics Leaks 7GB of Personal and Technical Information from Unsecured Server

Alina BÎZGĂ

July 29, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Avon Cosmetics Leaks 7GB of Personal and Technical Information from Unsecured Server

Last month, SafetyDetectives researchers discovered an unsecured database belonging to the popular Avon beauty company. The server, which lacked basic security measures, was easily accessible by investigators, who found a trove of 19 million records, including personal information of employees and website technical data.

Stop guessing what the internet knows about you. Find out with Bitdefender”s Digital Identity Protection!

While the news might not strike a chord at first, the data breach disclosure follows a June 9 regulatory filing by the company, which confirmed a security incident that “interrupted some systems and partially affected operations.”

On June 12, Avon Products submitted a second regulatory filing stating that, “after suffering the cyber incident communicated on June 9, 2020” they are “planning to restart some of its affected systems in the impacted markets throughout the course of next week.”

“Avon is continuing the investigation to determine the extent of the incident, including potential compromised personal data,” the report said. “Nevertheless, at this point it does not anticipate that credit card details were likely affected, as its main ecommerce website does not store that information.”

A third update said the company “reestablished most its operating systems and resumed operations in most of its markets, including the majority of its distribution centers.”

SafetyDetectives speculate that the statements are not linked to the data breach discovered by their team.

The investigator”s report released on July 28 says the unprotected Avon.com server contained API logs for both web and mobile website, meaning that all production server information along with sign-in and refresh OAuth tokens were exposed.

The database contained over 7GB of data such as personal identifiable information and non-personal technical information:

• Names, phone numbers, date of birth and physical address
• Email addresses, GPS coordinates, last payment amounts
• Names of company employees (not confirmed)
• Administrator user emails
• More than 40,000 security tokens
• OAuth tokens and internal logs
• Account settings and server information

Moreover, the leaked data contained sensitive information such as PIN codes sent by SMS. The leaked internal logs could even be used to attack Avon”s IT infrastructure.

“Hackers could potentially harness the server to mine cryptocurrency, plant malware or conduct ransomware attacks upon the server owners,” the researchers added.

Even though there is not enough evidence to link the initial security incident reported by Avon with this data leak, precautionary measures should be taken.

Employees and Avon customers should inspect their online accounts and reset their passwords. Although the company has secured its leaky server, the possibility of malicious access to the open database can”t be excluded.

As a quick side note, Brazil”s Natura & Co Cosmetics, which acquired a 76% stake in Avon, also suffered a similar security incident, in April 2020, when the personal identifiable information (PII) of more than 190 million customers was found completely unprotected on two US-based Amazon servers. However, unlike Avon”s data leak, Natura”s servers contained the payment information of 40,000 shoppers.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

50 million records of Moscow car owners offered for sale online 50 million records of Moscow car owners offered for sale online
Alina BÎZGĂ

October 25, 2021

2 min read
From data breach to data dump: What cybercriminals do with your stolen info From data breach to data dump: What cybercriminals do with your stolen info
Alina BÎZGĂ

October 13, 2021

2 min read
2021 on Track for Record Year in Data Compromise Incidents, the ITRC Says 2021 on Track for Record Year in Data Compromise Incidents, the ITRC Says
Alina BÎZGĂ

October 08, 2021

2 min read