[BreachExchange] Data Leak Hits 2.5 Million Customers of Cosmetics Giant Yves Rocher

Destry Winant destry at riskbasedsecurity.com
Wed Sep 4 10:16:01 EDT 2019


A French retail consultancy exposed data on millions of its clients’
customers as well as sensitive business information, after researchers
discovered an unsecured Elasticsearch database.

Aliznet, which specializes in digital transformation, names the likes
of tech giants IBM, Oracle and Salesforce, retail leaders like Auchan,
and big brands including Yves Rocher and Lacoste as its clients.

However, researchers from vpnMentor were able to access a private
Aliznet database containing data on 2.5 million Canadian Yves Rocher
customers. This included names, phone numbers, email addresses, dates
of birth and postcodes.

They also discovered over six million customer orders in the database,
including transaction amount, currency used, delivery date and store

“Each order is also linked with a unique customer ID. Using the leaked
Yves Rocher customer records, we were able to identify the individual
who placed each order through their customer ID,” the researchers

Along with this sensitive personally identifiable information (PII) on
customers, vpnMentor found internal Yves Rocher data including: stats
on store traffic, turnover and order volumes, product descriptions and
ingredients for over 40,000 products, and product prices and offer

This info could be a big asset to Yves Rocher’s competitors, allowing
them to estimate store sales, order volumes and other trading data,
the research team claimed.

“The exposed database also provides competitors with a list of Yves
Rocher’s Canadian customers, complete with their name, age, contact
information, and order histories,” it continued.

“Competing cosmetic and beauty companies could use this information to
create highly effective advertising campaigns targeted at Yves Rocher
customers. This could lead to Yves Rocher losing customers to

The vpnMentor team also found an API vulnerability allowing them to
access an application built for Yves Rocher employees by Aliznet.

Using employee IDs exposed in the previously detailed leak, hackers
could log-in as Yves Rocher staff to obtain more data on the business
and its customers and even add, delete or modify data in the company
database, vpnMentor claimed.

More information about the BreachExchange mailing list