Estée Lauder is the latest big-name brand to suffer an embarrassing data leak after a researcher discovered 440 million records including plain text emails exposed via an online database.
Security Discovery’s Jeremiah Fowler made the discovery on January 30, claiming the non-password protected database exposed a total of 440,336,852 records.
It’s unclear how many user emails were exposed, but the cosmetics giant claimed in an emailed statement that they were “non-consumer” and instead came from an internal “education platform.” Fowler confirmed that many of the emails he saw in plain text belonged to the @estee.com domain.
There was no sign of payment data or sensitive employee information in the database either. However, although the direct risk to customers and staff appears to have been negligible from this data leak, Fowler warned that other information contained in the database may have been of interest to attackers.
“There were millions of records pertaining to middleware that is used by the Estée Lauder company. Middleware is software that provides common services and capabilities to applications outside of what’s offered by the operating system. Data management, application services, messaging, authentication, and API management are all commonly handled by middleware,” he explained.
“Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised. In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network.”
Although it took Fowler multiple attempts to pass on details of his discovery to the right team, Estée Lauder has been praised as acting “fast and professionally” to block public access to the database on the day of the discovery.