Written by James Orme Tue 3 Sep 2019

Yves Rocher hit by wider breach affecting French retail consultancy Aliznet

Personal information belonging to customers of companies working with French retail consultancy Aliznet, including 2.5 million customers of cosmetic and beauty giant Yves Rocher, has been exposed in a data leak.

The Paris-based consultancy has previously served IBM, Salesforce, Sephora, Louboutin and Inwi, although it is understood the most sensitive data belongs to Canadian customers of Yves Rocher.

The exposed database was discovered by vpnMentor on an unprotected Elasticsearch server after researchers working for the VPN review site discovered an unprotected API interface for an application Aliznet created for Yves Rocher. The researchers said the API gave them access to an explorer that hackers could use to add, delete or modify data in the company database.

Alongside customer names, phone numbers, email addresses, date of births and zip codes, the records included customer IDs that could be used in combination with six million older Yves Rocher customer orders to identify further customers based on their purchases. The records also included the names of employees who processed each order and the location of the store.

The researchers said the leaked customer records could be exploited by hackers to execute phishing schemes, ransomware attacks and to bypass two-factor authentication. Cyber criminals could also collate the information to commit credit card fraud and identity theft, the researchers added.

The leaked data also exposed the beauty giant’s store traffic, turnover, order volumes, product prices and offer codes, alongside Aliznet corporate information including job postings and employee profile portraits.

Yves Rocher competitors could have used the data to create highly effective advertising campaigns targeted at Yves Rocher customers, potentially leading to the company losing customers to competition, the researchers said.

The researchers added that the breach might be the tip of the iceberg and that there may be further unsecured databases and applications belonging to other Aliznet clients. It is not known if hackers managed to access the data or use it for malicious purposes.

vpnMentor did not disclose when it discovered the breach but said it alerted Aliznet and suggested ways for them to make their systems more secure. It said the leak could have been prevented with basic security methods including securing servers, implementation of appropriate access rules, and system-wide authentication requirements.

“It does not take much effort for outsiders to find unsecured databases and access sensitive information. In fact, there are now tools designed to detect abusable misconfigurations within IT assets like ElasticSearch databases,” said Anurag Kahol, CTO at Bitglass.

“Because of these tools (and the continued carelessness of companies when it comes to cybersecurity), abusing misconfigurations has grown in popularity as an attack vector across all industries. Such vulnerabilities can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation. Even companies with limited IT resources must take full responsibility for securing user data – there is no excuse for negligent security practices such as leaving databases exposed.”