Avon Products, Inc. is owned Brazil’s Natura & Co. which itself leaked over 192 million records in May 2020.
The cyber security researchers at SafetyDetectives’ led by Anurag Sen have discovered a misconfigured cloud database containing data of popular cosmetics brand Avon. The unprotected server has leaked 19 million records so far, which includes personal data and technical logs.
Avon is owned by the Brazil-based Natura & Co., which acquired its 78% stakes in January 2020. Interestingly, as previously reported by Hackread.com, Natura itself got embroiled in a data leak controversy in May 2020 after an unprotected ElasticSearch database was discovered on Azure server leading to the exposure of over 192 million records.
One of the databases at that time contained 1.3TB worth of data, while the other had about 27GB of exclusive data.
In May 2020, it was SafetyDetective that discovered the ElasticSearch database back in May, and this time around as well, it is the same team reporting about the Avon data leak.
In their blog post, researchers mentioned that Avon’s US website server was not protected by any security measures, which is why they were able to access it easily. This means the vulnerability can allow anyone with the IP-address of the server to access Avon.com’s open database.
The server stored the company’s web and mobile sites’ API logs; therefore, all production-related data, including over 40,000 internal OAuth tokens got exposed after the breach.
OAuth tokens, just like access tokens, are used for signing-in purposes, but these expire after a certain time. Hence, users need to generate fresh tokens every time they need an OAuth token.
In this case, both the sign-in and refresh OAuth tokens got exposed, giving malicious threat actors enough information to gain full access to an Avon account.
Furthermore, the exposed database contains Personally Identifiable Information of its employees and customers, including sensitive details like,
- Full names
- Phone numbers
- Dates of birth
- Email addresses
- Physical addresses
- GPS coordinates
- Last payment amounts
- Names of company employees (suspected but not confirmed)
- Administrator user emails
According to the report, the database hosted around 7 GB worth of data, which remained exposed for nine days (from 3 June 2020 to 12 June 2020). Avon issued a statement on June 9, 2020, confirming that its systems were interrupted because of an ‘incident’ that ‘partially affected’ its operations.
Avon issued another statement a few days later to confirm that financial data wasn’t compromised as its ‘main e-commerce website’ doesn’t store financial information. The company also confirmed that operations around the globe were affected because of the incident, which is why its service was functioning normally in some regions and was offline in some.
Internal log showing company employee name (Image: SafetyDetectives)
Exposure of PII is a point of concern as it can allow cybercriminals to launch a range of scams, including identity fraud or phishing schemes. On the other hand, exposure of technical data, especially OAuth token, poses a great risk for Avon as a hacker can obtain full server control, install ransomware, exploit its payments infrastructure, and cause permanent damage to the company.
It isn’t yet clear if this incident has any connection to the cyber-incident that happened in May.