A publicly configured database owned by Tarte Cosmetics reportedly exposed online customers' names, addresses, emails, and purchase histories, plus the last four digits of their credit card numbers.
A publicly configured database owned by Tarte Cosmetics reportedly exposed online customers' names, addresses, emails, and purchase histories, plus the last four digits of their credit card numbers.

Here's one case where you might say the crime was worse than the cover-up.

Make-up company Tarte Cosmetics exposed the personal information of nearly 2 million online customers after two of its online MongoDB databases were misconfigured for public access, according to researchers from MacKeeper's Kromtech Security Center.

Even worse, a known cybercriminal group dropped a ransom note into one of the unsecured databases, strongly suggesting the malicious actors discovered, observed and perhaps stole the data. The note, from the ransomware group CRU3LTY, demands 0.2 bitcoins for recovering the database once its data is deleted or encrypted. However, no such attack has taken place.

Online shoppers who purchased from Tarte over a 10-year time span from 2008-2017 are potentially impacted. In an Oct. 23 blog post, Kromtech notes that the compromised data includes names, addresses, emails, and purchase histories, plus the last four digits of their credit card numbers.

Kromtech states that on Oct. 20, after two days of attempting to contact the company, Tarte secured the two databases -- collectively 8.7 GB in size -- even though the researchers reportedly never received an official response.

SC Media has reached out to Tarte for comment.

Continue Reading Below