[BreachExchange] Arbonne MLM data breach exposes user passwords, personal info

Fri May 29 10:32:51 EDT 2020

https://www.bleepingcomputer.com/news/security/arbonne-mlm-data-breach-exposes-user-passwords-personal-info/

 International multi-level marketing (MLM) firm Arbonne International
exposed the personal information and credentials of thousands after
its internal systems were breached by an unauthorized party last
month.

Arbonne is a privately held California-based company acquired by
Groupe Rocher in 2018, with annual revenues of over $500 million and a
network of more than 200,000 independent consultants from the United
States, the United Kingdom, Canada, Australia, Poland, and New
Zealand.

Data breach impacts thousands of Californians

"On the evening of April 20, 2020, Arbonne became aware of unusual
activity within a limited number of its internal systems," Arbonne
says in a data breach notification letter filed with the Office of the
Attorney General of California.

"On April 23, 2020, the investigation identified a data table
containing limited personal information that may have been accessible
to unauthorized actor."

According to Arbonne's breach notification, 3,527 California residents
were impacted in the incident, with the following types of personal
information being exposed to unauthorized access: names, email and
mailing addresses, order purchase histories, phone numbers, and
Arbonne account passwords.

While the company shared the number of affected Californians, the
total number of impacted individuals is currently unknown although
Maryland, New York, New Mexico, North Carolina, and Rhode Island
residents are advised to contact their Attorney General for more info.

BleepingComputer has reached out to Arbonne for more details but had
not heard back at the time of this publication. This article will be
updated when a response is received.

Arbonne says that the affected users' payment card or government ID
information, such as Social Security numbers, was not exposed in the
breach based on the ongoing investigation's results

Passwords reset for all affected user accounts

"While our investigation is ongoing, in an abundance of caution, we
forced a password reset for all users whose passwords may have been
subject to unauthorized access and we notified these users to ensure
they were aware of this incident," Arbonne added.

The data breach experienced by the MLM company was also reported to
the  FBI and relevant regulators.

Following the incident, Arbonne provides all impacted individuals with
twelve months of free credit monitoring, fraud consultation, and
identity theft restoration services from Kroll.

The company also provides a customer service support hotline at
800-ARBONNE, open "Monday through Friday, 7 am – 8 pm Pacificexcluding
national holidays."

Last month, the U.S. Federal Trade Commission warned Arbonne to direct
its independent consultants to stop making claims on social media that
some of its products "treat or prevent Coronavirus Disease 2019
('COVID-19')."

The company answered by stating that all representatives who failed to
adhere to FTC guidelines will have their accounts de-registered.