Cosmetic Company Leaks 2 Million Customer Details Online

New York Based Cosmetic Company Leaks 2 Million Customer Details Online

Buying products online is more common than ever before and for some products it is the only way, but how safe is your private data? It feels more and more like consumers are gambling with their data with every purchase. Almost every week there seems to be another massive data leak, hack, or security breach that exposes customer data. This week the Kromtech Security Center has discovered a publically accessible database that appears to be connected to Tarte Cosmetics.    

The New York based Tarte’s products are sold at department stores in the United States at large retailers like Macy's, Sephora, Ulta, and Beauty Brands and in Sephora stores in Canada, Australia, and a handful of countries in Asia. However, countries that do not have these retail locations or rural customers often buy their cosmetics online. It was these customers who made their purchases online that had their data exposed. Tarte is considered a “cult-favourite” makeup brand and that is clear by the number of customers in the database. 

How did the Leak Happen and what was there? 

On October 18th Kromtech security researchers discovered Mongo database that was connected to Tarte Cosmetics and contained data for almost 2 million US and international customers (exact number of records is 1,891,928) who shopped via their online store between 2008-2017. The incident occurred when  a MongoDB server was set up without the proper security measures. The administrators at Tarte made a security setting public, instead of private and exposed the data of 2 million customers in the process. 

 

 

After further investigation researchers realized that there were at least two misconfigured MongoDB databases (3.8 and 4.9 GB in size). Both of them were misconfigured to allow public access have been indexed by Shodan ( I.O.T. search engine). What is even more disturbing is that apparently the data was accessed by the ransomware group “CRU3LTY” who left their standard ransom note inside the database demanding 0.2 bitcoins for recovering the database once the data has been deleted or encrypted. 

 

 

However, data has not been deleted, it is still accessible and contains the following information:

  • Customer name
  • Customer address
  • Customer address
  • Customer email
  • Purchase history
  • Last 4 digits of credit card

 

On Friday 18 and 19th we have been trying to get in touch with Tarte and sent several security alerts. On Friday 20th all Tarte related databases have been secured, however, with no word from the company.  

The Danger of this Leak 

Cyber criminals in the past have used leaked information to reach out to customers with phishing emails and see who replies. In this instance they would already have the last 4 digits of the credit card on file and with 2 million customers they would have all of the personal information needed to trick them into believing they are confirming their credit card with a company they trust. It appears that criminals have already accessed the customer data. With all of the other data leaks online it is possible that criminals could even cross reference this data against other breaches and get the customer’s full card number or more information. Ransomware alone could be devastating to a company large or small if they do not have their data backed up or a security plan in place. 

This is just another wake up call for companies to put security measures in place and prepare for unpredictable yet inevitable nature of cyberattacks. Companies who collect and store payment data will continue to have a very high exposure to cyberattacks and related security risks. This discovery shows once again that many companies are still not putting enough enough focus on how they manage security risks. 

***

Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.

Do you have security tips or suggestions? Contact: security@kromtech.com

You may also like

Ashley Madison's Private Picture Aren't That Private Virtual Keyboard Developer Leaked 31 Million of Client Records Location Intelligence Company Leaks Repositories Full of Data Online