Security researchers have found a major data breach at cosmetics giant Sephora. The research team, led by Aaron Phillips, can confirm that nearly half a million customers’ personal data was unsecured online. Sephora is a gigantic French cosmetics store with many locations in the United States but also trying to gain a foothold in Europe and the Netherlands.
Affected users are members of the pre-2019 Sephora rewards program. We analyzed the leak and created a timeline of events.
What data was on the street?
The following personal data were found during the data breach:
- Card numbers matching Sephora Beauty Inside
- Account numbers
- Full names
- Email addresses
- Phone numbers
- Sephora rewards points
The data was exposed when Sephora exported information from their database and stored it on the Amazon cloud.
Our team took screenshots, and a small snippet of the data that was discovered can be seen above. Sephora sealed the leak after a few days. As you can see there was personal information in the fields full name, email, card_numbers, and phone_number.
Consequences of the leak
We found that data from at least 490,000 Sephora customers were involved in the leak. These are customers from Mexico who have created their accounts for 2019. Based on the information we obtained, it appears that all of the customers whose information has been leaked were members of the Sephora rewards program.
The card numbers that have been leaked appear to match Sephora Beauty Pass information, such as those of Sephora White members. Sephora left the data unsecured in cloud storage that anyone could reach via the internet.
Data accessed by unsecured AWS S3 bucket
The source of the leak was a backup document of a database that was publicly available on the Internet. The backup was on an Amazon Web Services (AWS) bucket from Sephora.
The data was available for everyone to see through the type of security policy that the company had set for the bucket. In principle, this meant that anyone could have access to the documents. This posed huge risks for customers.
Our security researchers believe that the data accidentally ended up online unprotected after a data migration in 2019.
Leak poem after report
After our discovery, we reported to Sephora. The company then closed the leak by removing free access to the bucket. The investigation team deleted the personal information that came up.
Timeline of the leak
Below is a timeline of the data breach at Sephora.
|Security researcher Aaron Phillips discovers the leak||December 4, 2021|
|Sephora will be notified at firstname.lastname@example.org||December 5, 2021|
|Sephora will be notified at email@example.com||Dec 8, 2021|
|Sephora closes the leak||December 17, 2021|
Sephora participates in the HackerOne bug bounty program. The program only accepts bugs that affect the sephora.com domain. As a result, this vulnerability was not covered by the bug bounty program as it involved an external domain.
Not the first cybersecurity incident at Sephora
This wasn’t the first time Sephora customer personal data had been exposed online. On July 30, 2019, there was a similar leak of personal data at the beauty giant. Then Sephora customers in Malaysia, Singapore, Indonesia, Thailand, the Philippines, New Zealand, and Australia faced the risk of a data breach.
At the time, Sephora notified the Personal Data Protection Commission (PDPC) of the issue. In addition, the company immediately called in the help of a reputable cybersecurity company. This resulted in all existing customer passwords being reset as quickly as possible and the vulnerabilities being patched. Since then, Sephora has also provided a free customer data monitoring service for engaged customers.
According to Sephora’s official letter to their customers, there were no signs that the compromised information had been misused by malicious parties.
Still, it’s important to realize that cybercriminals are always looking for personal information and are trained to evade detection. It is therefore difficult to say whether the leaked information has been misused. For example, victims may not have linked fraud to the data breach or that the information will be misused in the future, for example through phishing or identity fraud.
Amazon Web Services Vulnerable to Misconfiguration
This isn’t the first time Amazon customers have experienced “leaky buckets.” Previously, for example, millions of Facebook data was left lying around in a publicly accessible bucket. In addition, there was recently a massive breach at SEGA Europe due to a misconfigured Amazon Bucket. How can Amazon’s S3 buckets lead to such a leak?
S3 buckets resemble a folder on your computer. These folders are located in the Amazon cloud, which is used by many companies to make data accessible worldwide. S3 buckets are not insecure by themselves, but it is important that the access policy is set properly to protect the data.
If the security policies of the buckets are not configured properly, private data may be exposed. Amazon therefore also warns their customers not to have an unnecessarily broad access policy.
Yet there are also plenty of reasons why a customer would make a bucket publicly available, for example, to host images for a website. Things go wrong when companies put personal information on public buckets. This also seems to have been the case at Sephora.
The importance of cybersecurity in 2022
In recent years we have seen an unprecedented increase in sophisticated cyber-attacks with catastrophic consequences not only for individual organizations but for the internet in general. Some recent examples from 2020 and 2021 are the SolarWinds hack and the Log4Shell incident.
Cybersecurity companies know that strict security measures are the number one priority for any organization. Mainly because of the amount of sensitive data that is kept and shared online. Companies must have knowledge of internal and external risks. This Sephora case proves that any company in any industry can put its data at risk due to cybersecurity flaws.
VPNOverview.com security researcher Aaron Phillips commented, “I think this Sephora breach really shows that these information leaks can affect anyone and ultimately lead to identity theft. Every business needs to raise its standards and follow best practices when dealing with customer data. Too many bad guys make money buying and selling information that’s left lying around in the cloud.”
Catch up on more articles here
Follow us on Twitter here