On January 30, Jeremiah Fowler, data analyst and security consultant at Security Discovery, found data records belonging to Estée Lauder, a popular American multinational manufacturer, and marketer of prestige skincare.
The researcher claims to have found roughly 440 million (440,336,852 to be precise) records including the company’s internal emails in plain text format. The data was stored on the database without any security authentication meaning anyone could have accessed the data.
Reportedly, there is no evidence that customer records or payment-related data could be at risk with this exposure. This means, at the moment there isn’t any direct risk for the company’s customers or clients or customers of its subsidiary brands including MAC and Clinique.
However, Fowler noted that the middleware related hacked data can possibly create an entry point for cybercriminals, using which they can gain access to more sensitive data in the near future. For your information, Middleware is software that Estée Lauder uses to facilitate common services or capabilities to applications that aren’t part of the operating system.
As explained by Fowler, the applications handled by Middleware include “data management, application services, messaging, authentication, and API management. Another threat is the creation of a secondary path for malware, which Middleware can easily create. This may lead to compromising of all those applications and data that the software handles.
“In this instance, anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network,” Fowler wrote in blog post.
Estée Lauder hasn’t revealed the number of exposed user emails but in its emailed statement, the company noted that the emails weren’t related to consumers and came from its internal education platform. However, Fowler stated that most of the emails he discovered in plain text format contained the @esteecom domain.
Nonetheless, we should praise Estée Lauder for responding promptly and blocking public access to the database on the same day it was discovered.