Breach, Data Security, Network Security

No glossing this over: Leaky Estée Lauder database exposes 440M records

The Estée Lauder Companies Inc. accidentally left over 440 million records publicly exposed after failing to password-protect a corporate database, according to a researcher who spotted the oversight.

The misconfigured database was found to contain emails in plain text, including those sent from internal email addresses; references to reports and internal documents; and IP addresses, ports, pathways and storage information. Additionally, it stored Production, Audit, Error, CMS and Middleware logs. All in all, a grand total of 440,336,852 was left open for public discovery.

Estée Lauder has stated publicly that consumer information was not stored in the database.

Security Discovery researcher Jeremiah Fowler, who authored a company blog post about the leak, said he discovered the exposed database on Jan. 30 and immediately disclosed the error to Estée Lauder. Reportedly, the New York-based personal care and make-up manufacturer fixed the problem that same day.

In the blog post, Fowler explained the significant of finding middleware in the database: "Data management, application services, messaging, authentication, and API management are all commonly handled by middleware," wrote Fowler. "Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised. In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network.

It is unknown how long the data leak existed, how many user email addresses were affected and if any additional unauthorized parties were able to access the data.

Fowler told Forbes that the database "appeared to be a content management system that contained everything from how the network is working to references to internal documents, sales matrix data, and more."

SC Media reached out to Estée Lauder for comment and received the following official statement: "On 30 January, 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet. This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data. The Estée Lauder Companies takes data privacy and security very seriously. As soon as we became aware, we took immediate action to secure the data and notify appropriate parties."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.