Security researchers recently discovered an unsecured database that belongs to Avon. The server didn’t have any basic security measures in place, and could be easily accessed.
Thanks to this security weakness, researchers at SafetyDetectives unveiled 19 million records of individuals associated with Avon, which included personal information of employees and website data. While this news is not that surprising at all, the reactions of Avon that followed could point to more serious implications than the scenario of “just another data leak“.
Avon’s Data Breach: What Happened?
On June 9, Avon released a data breach statement and a regulatory filing, confirming the incident and adding that it interrupted some of their systems and partially affected operations. Then, on June 12, Avon products released a second regulatory filing, explaining that “after suffering the cyber incident communicated on June 9, 2020” the company is “planning to restart some of its affected systems in the impacted markets throughout the course of next week.”
The filing also clarified that the company is continuing the investigation to determine the extect of the data breach, such as potential compromised personal details. At this point, however, the company did not anticipate any credit card details being affected, because the main e-commerce website doesn’t store that information.
A third update released by Avon said that the company successfully reestablished most of its operating systems, and resumes operations in most of its markets, most distribution centers inclusive.
Privacy experts at SafetyDetectives, however, believe that the three separate statements are not in fact associated with the data breach they discovered in June.
Avon’s server also contained internal logs that could be repurposed by nefarious users to harm Avon’s IT infrastructure. Hackers could potentially harness the server to mine cryptocurrency, plant malware or conduct ransomware attacks upon the server owners.
However, it is important to note that, at this stage, it remains unclear whether Avon’s server vulnerability and its extensive operational issues in recent weeks are connected.
As for the database, it contained more than 7GB of data including personally identifiable information and non-personal technical information:
- Names, phone numbers, date of birth and physical address
- Email addresses, GPS coordinates, last payment amounts
- Names of company employees (not confirmed)
- Administrator user emails
- More than 40,000 security tokens
- OAuth tokens and internal logs
- Account settings and server information
More specifically, Using index logs, the security experts were able to find the following records:
- More than 665,000 technical log entries, including token values and internal resources such as APIs,
- Almost 3 million technical log entries and errors including private/sensitive information such as login PIN codes sent by SMS, date of birth and phone numbers,
- 11,000+ entries marked as “salesLeadMap”, showing values such as full names, addresses, account settings, dates of birth, token values, last payment amounts and GPS coordinates,
- Approximately 780,000 technical log entries exposing potentially sensitive technical information, such as administrator user emails and what seems to be a list of admin system permission categories,
- Close to 450,000 technical log entries and application/Java errors, potentially exposing sensitive technical information about the server.
Avon’s Data Breach: the Impact
Not surprisingly, Avon.com’s server breach could lead to several threatening outcomes to affected individuals. For one, exposed details could be exploited for identity fraud and various scams. Furthermore, the abundance of details that were leaked could be utilized in malware atacks and full server control. Such malicious consequences could “permanently damage the Avon brand; namely, ransomware attacks and paralysing the company’s payments infrastructure“, the researchers warn.
Can you guess the number of stolen user details being sold in underground forums?
According to a recent, detailed paper by Digital Shadows Photon Research, some 15 billion credentials are circulating on hacker forums, enabling account takeover, identity theft, and other types of malicious attacks and activities.
“The average person uses some 191 services that require them to enter passwords or other credentials,” researchers said. This presents a huge problem in case of any account compromise, especially if the individual uses the same credentials across multiple services.
Shortly, said security researchers observed more than 15 billion user credentials for sale on underground forums. These credentials originate from more than 100,000 data breached. At least 5 billion of them are unique.