2 min read

Avon Cosmetics Leaks 7GB of Personal and Technical Information from Unsecured Server

Alina BÎZGĂ

July 29, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Avon Cosmetics Leaks 7GB of Personal and Technical Information from Unsecured Server

Last month, SafetyDetectives researchers discovered an unsecured database belonging to the popular Avon beauty company. The server, which lacked basic security measures, was easily accessible by investigators, who found a trove of 19 million records, including personal information of employees and website technical data.

Stop guessing what the internet knows about you. Find out with Bitdefender”s Digital Identity Protection!

While the news might not strike a chord at first, the data breach disclosure follows a June 9 regulatory filing by the company, which confirmed a security incident that “interrupted some systems and partially affected operations.”

On June 12, Avon Products submitted a second regulatory filing stating that, “after suffering the cyber incident communicated on June 9, 2020” they are “planning to restart some of its affected systems in the impacted markets throughout the course of next week.”

“Avon is continuing the investigation to determine the extent of the incident, including potential compromised personal data,” the report said. “Nevertheless, at this point it does not anticipate that credit card details were likely affected, as its main ecommerce website does not store that information.”

A third update said the company “reestablished most its operating systems and resumed operations in most of its markets, including the majority of its distribution centers.”

SafetyDetectives speculate that the statements are not linked to the data breach discovered by their team.

The investigator”s report released on July 28 says the unprotected Avon.com server contained API logs for both web and mobile website, meaning that all production server information along with sign-in and refresh OAuth tokens were exposed.

The database contained over 7GB of data such as personal identifiable information and non-personal technical information:

• Names, phone numbers, date of birth and physical address
• Email addresses, GPS coordinates, last payment amounts
• Names of company employees (not confirmed)
• Administrator user emails
• More than 40,000 security tokens
• OAuth tokens and internal logs
• Account settings and server information

Moreover, the leaked data contained sensitive information such as PIN codes sent by SMS. The leaked internal logs could even be used to attack Avon”s IT infrastructure.

“Hackers could potentially harness the server to mine cryptocurrency, plant malware or conduct ransomware attacks upon the server owners,” the researchers added.

Even though there is not enough evidence to link the initial security incident reported by Avon with this data leak, precautionary measures should be taken.

Employees and Avon customers should inspect their online accounts and reset their passwords. Although the company has secured its leaky server, the possibility of malicious access to the open database can”t be excluded.

As a quick side note, Brazil”s Natura & Co Cosmetics, which acquired a 76% stake in Avon, also suffered a similar security incident, in April 2020, when the personal identifiable information (PII) of more than 190 million customers was found completely unprotected on two US-based Amazon servers. However, unlike Avon”s data leak, Natura”s servers contained the payment information of 40,000 shoppers.

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Your phone number got leaked? Here’s what cybercriminals can do with it and how you can stop them Your phone number got leaked? Here’s what cybercriminals can do with it and how you can stop them
Alina BÎZGĂ

December 05, 2022

3 min read
Threat actor publicly shares stolen data of 5.4 million Twitter users Threat actor publicly shares stolen data of 5.4 million Twitter users
Alina BÎZGĂ

November 28, 2022

3 min read
500 million WhatsApp mobile phone numbers are up for grabs on the dark web 500 million WhatsApp mobile phone numbers are up for grabs on the dark web
Alina BÎZGĂ

November 25, 2022

2 min read