[BreachExchange] Estée Lauder Exposes 440M Records, with Email Addresses, Network Info

Wed Feb 12 10:07:34 EST 2020

https://threatpost.com/estee-lauder-440m-records-email-network-info/152789/

Middleware data was exposed, which can create a secondary path for
malware through which applications and data can be compromised.

A non-password protected cloud database containing hundreds of
millions of customer records and internal logs for cosmetic giant
Estée Lauder has been found exposed online, according to researchers.

In all, 440,336,852 individual data pieces were exposed, according to
researcher Jeremiah Fowler at Security Discovery. Many of the records
importantly contained plaintext email addresses (including internal
email addresses from the @estee.com domain). There were also reams of
logs for content management systems (CMS) and middleware activity.
Fortunately, there was no payment data or sensitive employee
information included in the records that Fowler saw.

“This company has been a household name for over 70 years and had an
annual revenue of $14.863 billion in 2019 – [so] it seems logical that
there would be a large dataset associated with the business,” Fowler
wrote in a report on his discovery, published Tuesday. He added that
while he saw that there were “massive” numbers of consumer email
addresses involved, he didn’t calculate the total number because he
immediately pivoted to notifying the company.

“I can only speculate or assume that the email addresses were from
digital commerce or online sales,” he said.

As for the other data, most of it could be used as reconnaissance for
a larger network attack, Fowler noted. The logs for instance contained
IP addresses, ports, pathways and storage information that could be
used to map out the company’s internal LAN or WAN; and, middleware
used by the company to connect different data-generating software
packages was also detailed.

Middleware typically handles tasks like providing a consistent
front-end for data management across different internal systems;
application services; messaging; authentication; and API management.

“Middleware can create a secondary path for malware, through which
applications and data can be compromised,” Fowler explained. “In this
instance, anyone with an internet connection could see what versions
or builds are being used, the paths, and other information that could
serve as a backdoor into the network.”

After making several phone calls and sending several emails over the
course of a few hours, Fowler was able to get a message through to the
security team at Estée Lauder, and the database was closed the same
day. It’s unclear how long the Estée Lauder database was exposed or
who else may have accessed the records during that time, he noted, so
customers should be on the alert for phishing emails.

“This an example of how a simple error such as setting permissions on
a shared drive or a database can have significant consequences,” said
Erich Kron, security awareness advocate at KnowBe4, via email.
However, he praised the company for its quick action: “This is also a
lesson in how large organizations can improve on the process of
reporting potential data exposure quickly in order to rapidly resolve
the issue, especially in the modern electronic age where millions of
records can be stored in a single place and be accessed from nearly
anywhere in the world. I give Estée Lauder credit for quickly
resolving the issue once they were informed about it, as many
organizations move far too slowly in this respect.”

Misconfigured, internet-exposed databases continue to be a common
problem, including for very big, brand-name companies with years’
worth of data. In January for instance, it was revealed that
misconfigured Microsoft cloud databases containing 14 years of
customer support logs had exposed 250 million records to the open
internet for 25 days. The account info dates back as far as 2005 and
is as recent as December 2019 — and exposes Microsoft customers to
phishing and tech scams.