The massive security failure by The Natura & Co Group exposed 2 misconfigured AWS databases for weeks to the public.

A multi-billion dollar company based in Sao Paulo, Brazil has been found exposing highly sensitive, personal, and financial data of its customers. What’s worse is that the data was hosted on two misconfigured databases publicly available for anyone to access without any security authentication. Known as Natura around the world; the company in the discussion is owned by The Natura & Co Group, a global personal care cosmetics group with representation in 73 countries across the globe. The same group owns beauty giants like Aesop, The Body Shop, and Avon.

According to researchers at Safety Detectives who identified the exposed data, both databases contained more than 192 million records. One database hosted records worth 1.3TB while the second database had 272GB of data. In a report shared with Hackread.com, the researchers revealed the victims of the breach are more than 250,000 Natura customers who shopped using the company’s website. Moreover, 40,000 customers’ Moip (mobile communications over internet protocol) account details belonging to Wirecard with access tokens were also left exposed without any security protocol.

An in-depth analysis from researchers shows that both databases exposed the following information:

  • Gender
  • Full name
  • Nationality
  • Date of Birth
  • Telephone number
  • Previous purchases
  • MOIP account details
  • Mother’s maiden name
  • Welcome email template
  • Username and nickname
  • Email and physical addresses
  • Access token for wirecard.com.br
  • API credentials including unencrypted passwords
  • Natura.com.br login credentials including hashed passwords

However, it didn’t end here. The researchers also identified confidential details related to the company’s cyber infrastructure such as a .pem certificate key along with “client secret.”

“The compromised server contained website and mobile site api logs thereby exposing all production server information. Furthermore, several “Amazon bucket names” were mentioned in the leak including PDF documents referring to formal agreements between various parties,” researchers analysed.

Although 90% of victims in the breach are Brazilians, the good news is that both databases have been secured after researchers contacted Amazon directly, due to the non-serious attitude of Natura who didn’t respond to the researchers in time and left the data exposed for weeks.

 

Leave a Reply