More than 192 million records have been leaked when a server belonging to Brazilian cosmetic giant Natura was exposed to the public for two weeks.
Among the records were the personal information of more than 250,000 customers, including full name, date of birth, Natura website login credentials (incl. hashed passwords), MOIP account details, Api credentials (incl. unencrypted passwords), and email and physical addresses.
As well, payment information of a further 40,000 customers relating to Wirecard, a payment processor and financial services provider used by Natura, was made public. Delivery info such as purchase amount, cart id and cart details were visible, but personal details weren't matched to this information.
"The data leak was first discovered on 12 April 2020, although (we are) able to confirm that hundreds of gigabytes of information were available as early as 26 March 2020," stated the security team at Safety Detectives, who uncovered the data breach. "Around 90% of users were Brazilian customers although other nationalities were also present including customers from Peru."
In addition to personal information, the server contained website and mobile site API logs, which revealed all production server information, and numerous 'Amazon bucket names' that included PDF documents referring to formal agreements between various parties.
"Internal technical confidential details such as a .pem certificate key and a client secret were (also) discovered and publicly accessible," said Anurag Sen, the head of the security team. "The exposed .pem file creates a significant risk since it contains the key/password to the EC2 Amazon server."
Natura was immediately contacted about the leak. Once informed, the company secured the Amazon-hosted, US-located server and removed all private data from public view. The researchers waited "a few days" for confirmation the server had been secured before publishing their report, and during this time uncovered a second leaking server with 1.3TB of data.
"We didn't spend much time looking into this server as it seemed quite similar to the previous one and owner had already been confirmed," stated the team. Natura was contacted but no one no-one replied, so they contacted Amazon and the server was secured within days.
