THE WHAT? Estée Lauder has exposed 440 million records online via an unprotected database, according to a report by Forbes.
THE DETAILS Researcher Jeremiah Fowler from Security Discovery discovered the website, which is thought to be a part of a CMS or a middleware, was not password protected and contained plain-text email addresses of users from a company-owned education platform.
Speaking to Forbes, Fowler said, “The database appeared to be a content management system that contained everything from how the network is working to references to internal documents, sales matrix data, and more. As soon as I saw email addresses, I was able to validate these were real people and immediately contacted Estée Lauder.”
The website was not consumer facing, however, it is thought to pose a security risk due to the data having the potential to be used as a reconnaissance for a larger network attack.
Fowler said, “A danger of this exposure is the fact that middleware can create a secondary path for malware. Through which applications and data can be compromised.”
Estée Lauder how now blocked access to the database.
THE WHY? Playing down the implications of the case, Estée Lauder released a statement, which read, “On 30 January 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet.
“This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorised use of the temporarily accessible data.”