[BreachExchange] Brazil’s cosmetic giant Natura leaked 192 million records with payment data

[Destry Winant]

https://www.hackread.com/brazis-cosmetic-giant-natura-leaked-192m-records/

The massive security failure by The Natura & Co Group exposed 2
misconfigured AWS databases for weeks to the public.

A multi-billion dollar company based in Sao Paulo, Brazil has been
found exposing highly sensitive, personal, and financial data of its
customers. What’s worse is that the data was hosted on two
misconfigured databases publicly available for anyone to access
without any security authentication.

Known as Natura around the world; the company in the discussion is
owned by The Natura & Co Group, a global personal care cosmetics group
with representation in 73 countries across the globe. The same group
owns beauty giants like Aesop, The Body Shop, and Avon.

According to researchers at Safety Detectives who identified the
exposed data, both databases contained more than 192 million records.
One database hosted records worth 1.3TB while the second database had
272GB of data.

In a report shared with Hackread.com, the researchers revealed the
victims of the breach are more than 250,000 Natura customers who
shopped using the company’s website. Moreover, 40,000 customers’ Moip
(mobile communications over internet protocol) account details
belonging to Wirecard with access tokens were also left exposed
without any security protocol.



An in-depth analysis from researchers shows that both databases
exposed the following information:

Gender
Full name
Nationality
Date of Birth
Telephone number
Previous purchases
MOIP account details
Mother’s maiden name
Welcome email template
Username and nickname
Email and physical addresses
Access token for wirecard.com.br
API credentials including unencrypted passwords
Natura.com.br login credentials including hashed passwords

However, it didn’t end here. The researchers also identified
confidential details related to the company’s cyber infrastructure
such as a .pem certificate key along with “client secret.”

“The compromised server contained website and mobile site api logs
thereby exposing all production server information. Furthermore,
several “Amazon bucket names” were mentioned in the leak including PDF
documents referring to formal agreements between various parties,”
researchers analysed.

Although 90% of victims in the breach are Brazilians, the good news is
that both databases have been secured after researchers contacted
Amazon directly, due to the non-serious attitude of Natura who didn’t
respond to the researchers in time and left the data exposed for
weeks.

Originally, the data was discovered on 12 April 2020, but researchers
believe that it was exposed since 26 March 2020.

If you are a Natura customer contact the company and inquire about the
breach. Also, this is an ideal situation for hackers who might use the
opportunity to conduct phishing scams using the stolen email addresses
and pretend to be representatives from the company.

Therefore, watch out for malicious emails, do not click on any link
given in the email, and refrain from putting your personal data in
response to the email. Such emails can ask for full name, payment card
details, PIN code, passwords, physical address, phone numbers, driver
license, passport, or national insurance numbers.


Nevertheless, the fact that Natura had its database exposed to the
public for weeks is enough to imagine the upcoming damage in case a
third-party with malicious intent got their hands on it. As seen
recently, cybercriminals have been scanning for exposed databases,
stealing the data and selling it on dark web marketplaces, or leaking
it on hacker forums for free download.

One such case was reported last month when personal details and phone
numbers of 42 million Iranians were exposed on an Elasticsearch server
and ended up on the dark web and a hacker forum for sale within days.

In another case, Hackread.com reported that a misconfigured
Elasticsearch server exposed the personal information of 267 million
(267,140,436) Facebook users in December 2019. A year later in April
2020, the same database was being sold for $600 (€549 – £492) on a
hacker forum.