Cosmetic giant Yves Rocher hit by data leak exposing 2.5 million customers

[InfoSec News <alerts () infosecnews org>]

https://techerati.com/news-hub/yves-rocher-data-breach-leak-exposed-aliznet-cybersecurity/

By James Orme
Techerati
September 3, 2019

Yves Rocher hit by wider breach affecting French retail consultancy Aliznet

Personal information belonging to customers of companies working with French
retail consultancy Aliznet, including 2.5 million customers of cosmetic and
beauty giant Yves Rocher, has been exposed in a data leak.

The Paris-based consultancy has previously served IBM, Salesforce, Sephora,
Louboutin and Inwi, although it is understood the most sensitive data belongs to
Canadian customers of Yves Rocher.

The exposed database was discovered by vpnMentor on an unprotected Elasticsearch
server after researchers working for the VPN review site discovered an
unprotected API interface for an application Aliznet created for Yves Rocher.
The researchers said the API gave them access to an explorer that hackers could
use to add, delete or modify data in the company database.

Alongside customer names, phone numbers, email addresses, date of births and zip
codes, the records included customer IDs that could be used in combination with
six million older Yves Rocher customer orders to identify further customers
based on their purchases. The records also included the names of employees who
processed each order and the location of the store.

[...]



--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_