Cybersecurity researchers have discovered that the personal data of about 2.5 million Canadian customers of cosmetics brand Yves Rocher were left exposed due to being hosted on an unsecured database.
Researchers from vpnMentor discovered a vulnerability in the Elasticsearch database where Yves Rocher customers’ data was saved on. Customer information that may have been compromised by the vulnerable database include first and last names, dates of birth, phone numbers, email addresses, and zip codes.
The vulnerability allowed outside actors to access the application program interface (API) of the database that was used by employees of Yves Rocher, the researchers noted. vpnMentor concluded that the API not only allowed users to access customer data, but also to add, delete, and/or modify said data.
"The data breach exposed full contact details for individual customers of Yves Rocher. Hackers, scammers, and advertisers can easily exploit this information. With access to your address, email addresses, and phone number, malicious parties can create sophisticated phishing schemes and ransomware attacks,” vpnMentor said in a statement.
TEISS reported that the database is owned and managed by French consulting company Aliznet, which also offers its services to other major companies such as IBM, Oracle, Salesforce, Sephora, and Louboutin.
vpnMentor also found records of over six million customer orders for Yves Rocher products in the unsecured database. Each recorded order detailed the transaction amount, the currency used, delivery date, and the location of the store where the order was placed. By utilizing unique customer IDs, the researchers were able to determine which order was placed by which customer.
The researchers also discovered that the database also contained a variety of internal information, such as store traffic statistics, turnover, order volumes, product descriptions, product prices, offer codes, and even ingredients for more than 40,000 retail products.