The Estée Lauder Companies Inc. accidentally left over 440 million records publicly exposed after failing to password-protect a corporate database, according to a researcher who spotted the oversight.
The misconfigured database was found to contain emails in plain text, including those sent from internal email addresses; references to reports and internal documents; and IP addresses, ports, pathways and storage information. Additionally, it stored Production, Audit, Error, CMS and Middleware logs. All in all, a grand total of 440,336,852 was left open for public discovery.
Estée Lauder has stated publicly that consumer information was not stored in the database.
Security Discovery researcher Jeremiah Fowler, who authored a company blog post about the leak, said he discovered the exposed database on Jan. 30 and immediately disclosed the error to Estée Lauder. Reportedly, the New York-based personal care and make-up manufacturer fixed the problem that same day.
In the blog post, Fowler explained the significant of finding middleware in the database: "Data management, application services, messaging, authentication, and API management are all commonly handled by middleware," wrote Fowler. "Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised. In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network.
It is unknown how long the data leak existed, how many user email addresses were affected and if any additional unauthorized parties were able to access the data.
Fowler told Forbes that the database "appeared to be a content management system that contained everything from how the network is working to references to internal documents, sales matrix data, and more."
SC Media reached out to Estée Lauder for comment and received the following official statement: "On 30 January, 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet. This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data. The Estée Lauder Companies takes data privacy and security very seriously. As soon as we became aware, we took immediate action to secure the data and notify appropriate parties."
