2 min read

Brazil"s Natura & Co Cosmetics Accidentally Exposes Personal Details of 192 Million Customers

Alina BÎZGĂ

May 20, 2020

Brazil"s Natura & Co Cosmetics Accidentally Exposes Personal Details of 192 Million Customers

Nobody gets a free pass when it comes to data breaches. Natura, one of Brazil”s largest cosmetics companies, accidentally exposed the personal identifiable information (PII) of nearly 192 million customers.

The leaky database, discovered last month by Safety Detectives led by cybersecurity researcher Anurag Seg, was hosted on two unprotected US-based Amazon servers, and contained between 272GB and 1.3TB of data belonging to the company.

Were you a victim of a data breach? Time to find out with Bitdefender”s Digital Identity Protection tool.

In yesterday”s report, the researchers noted that more than “250,000 customers that had previously ordered beauty products from the website had their personal information made available to the public without Natura”s knowledge.”

To make matters worse, payment information of 40,000 shoppers “related to a third-party company, Wirecard, was also publicly available for over 2 weeks.”

Upon discovery, the team immediately notified the company, which managed to secure its servers and remove any private date from public view. However, the researchers published their findings in the report, revealing the extent of the data leak:

• Full name, mother”s maiden name and date of birth
• Nationality, gender and telephone numbers
• Natura.com.br login credentials including hashed passwords
• Welcome email template
• Username and nickname
• MOIP account details
• API credentials including unencrypted passwords
• Previous purchases
• Email and physical addresses
• Access token for wirecard.com.br

The exposed login credentials (usernames and hashed passwords) could allow hackers “to find the correct password for each user by brute forcing the hash and obtaining full access to customers” accounts,” the analysists said.

Attackers could also inflict financial damage to shoppers by exploiting the leaked physical addresses, phone numbers, and other PII. In one scenario, researchers said a bad actor could use the “mother”s maiden names to answer security questions and potentially access email accounts and cloud services that could in turn be used maliciously to gain deeper access to someone” private information.”

“The risk of phishing and phone scams is also raised by the Natura data leak,” while leveraging the welcome email templates could aid potential phishing scams, leaving victims “under the false impression the email originated from Natura.”

As a reminder, a recent analysis of consumer behavior revealed a worrying trend: 42% of consumers believe the information available in their online account is not “valuable enough to be worth a hacker”s time.” Cyber-crooks profit from the common notion that no cyber-criminal would be after personal information stored on a cosmetics company website or other source.

Last year, cosmetic giants Yves-Rocher and Sephora also made headlines with data breaches that exposed the personal details of millions of their customers. In Sephora”s case, the stolen data was posted for sale on the dark web.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

The UK Government Plans to Make Digital Identities Secure and Trusted Official Documents The UK Government Plans to Make Digital Identities Secure and Trusted Official Documents
Alina BÎZGĂ

July 21, 2021

1 min read
Dozens of Facebook Engineers Illegally Accessed Private User Data, New Book Says Dozens of Facebook Engineers Illegally Accessed Private User Data, New Book Says
Silviu STAHIE

July 15, 2021

1 min read
Are you a TikToker? Check Out These Eight Security Tips to Help You Minimize Your Digital Footprint and Stay Safe Online Are you a TikToker? Check Out These Eight Security Tips to Help You Minimize Your Digital Footprint and Stay Safe Online
Alina BÎZGĂ

July 14, 2021

5 min read