440 Million Logs and Records
On 30 January, 2020, independent security researcher Jeremiah Fowler discovered a vast database that was not password protected. The database contained a massive amount of potentially sensitive information. Among the millions of logs and records there were user emails in plain text; production, audit, error, CMS and middleware logs; and references to internal documents. Other information that could be useful to cybercriminals to gain deeper access into the company’s network and computing systems was also exposed. All in all, a grand total of 440,336,852 million logs and records were left open for public discovery.
Available for Anyone on the Internet
The database was available to anyone on the internet. Particularly concerning, according to Jeremiah Fowler, was the fact that the breach included records pertaining to middleware. This is a type of software that lies between an operating system (OS) and the applications running on it. “[…] middleware can create a secondary path for malware, through which applications and data can be compromised”, Jeremiah Fowler explains. “In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network.”
Database Swiftly Secured
Jeremiah Fowler noticed the exposed data included email addresses and quickly verified to whom the database belonged. Next, he immediately sent a “responsible disclosure notice” to Estée Lauder, to alert them to the exposure. It still took several hours and multiple emails before Jeremiah Fowler was able to get to the right person. After this, the database was swiftly secured. “As in most large companies when reporting a data exposure, it is usually extremely difficult to get through the firewall of gate-keepers […]. After calling every phone number I could find I was able to reach someone by phone who then promised to pass on the information. The company acted fast and professionally and restricted public access to the database on the same day as my notification”, Jeremiah Fowler confirmed.
Further Details Unknown
In the time between Jeremiah Fowler’s discovery and Estée Lauder securing the database, it is unclear whether the database was accessed by any additional unauthorized persons. Furthermore, Fowler was not able to find out how long the data had been exposed before he discovered it or exactly how many user email addresses were affected. “As security researchers our primary goal is data protection and when we see consumer data of any kind the first priority is to alert the owner to take immediate action”, Jeremiah Fowler explained. “Our mission is to highlight data protection and raise awareness that companies and organizations must do more to protect the data they collect and store.” In an official statement Estée Lauder responded: “On 30 January, 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet. This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data. The Estée Lauder Companies takes data privacy and security very seriously. As soon as we became aware, we took immediate action to secure the data and notify appropriate parties.”
