192 Million Data Records Exposed in Natura Cosmetics Data Leak
CYBER NEWS

192 Million Data Records Exposed in Natura Cosmetics Data Leak

The latest large-scale data leak involves the personally identifiable information of 192 million data records of customers in Brazil. Natura, one of the country’s largest cosmetics companies, had a leaky database hosted on two unprotected US-based Amazon servers.

Natura Cosmetics Data Breach: What Happened?

The leaky database was discovered by Safety Detectives. According to the report, 250,000 customers that had previously ordered beauty products from Natura’s website had their personal information made available to the public without the company’s knowledge. However, that’s not all. Payment information of 40,000 customers related to a third-party company known as Wirecard was also exposed for more than 2 weeks.




What is strange about the data leak is that since it was discovered and Natura being informed, the size of the data leak has been reduced from 272GB to 27.2GB, according to server logs, the researchers said. “This is a strong indication of purposeful impropriety aimed at concealing the severity of the leak. For example, an ill-intentioned hacker removing a precise number of records to conceal their actions.”

Related: Nearly 4M Users of MobiFriends Dating App Exposed in Data Breach

The compromised server contained website and mobile site api logs which exposed all production server information. A number of “Amazon bucket names” were also mentioned in the leak, including PDF documents referring to formal agreements between various parties, the researchers added.
In short, the leaky database contained over 270GB of data with more than 192 million records, with the following personal details:

Full name
Mother’s maiden name
Date of Birth
Nationality
Gender
Natura.com.br login credentials including hashed passwords
Welcome email template
Username and nickname
MOIP account details
Api credentials including unencrypted passwords
Previous purchases
Telephone number
Email and physical addresses
Access token for wirecard.com.br

The outcomes of such a data leak are numerous, and they are all bad for the involved individuals. In addition to the malicious attacks, such as phishing, that customers can be targeted with, the leaked data could also be used in identity fraud and further criminal activity. “Exposed details about the backend, as well as keys to servers, could be leveraged to conduct further attacks and allow deeper penetration into existing systems,” the researchers concluded.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...