Data Leak Hits 2.5 Million Customers of Cosmetics Giant Yves Rocher

Written by

A French retail consultancy exposed data on millions of its clients’ customers as well as sensitive business information, after researchers discovered an unsecured Elasticsearch database.

Aliznet, which specializes in digital transformation, names the likes of tech giants IBM, Oracle and Salesforce, retail leaders like Auchan, and big brands including Yves Rocher and Lacoste as its clients.

However, researchers from vpnMentor were able to access a private Aliznet database containing data on 2.5 million Canadian Yves Rocher customers. This included names, phone numbers, email addresses, dates of birth and postcodes.

They also discovered over six million customer orders in the database, including transaction amount, currency used, delivery date and store location.

“Each order is also linked with a unique customer ID. Using the leaked Yves Rocher customer records, we were able to identify the individual who placed each order through their customer ID,” the researchers explained.

Along with this sensitive personally identifiable information (PII) on customers, vpnMentor found internal Yves Rocher data including: stats on store traffic, turnover and order volumes, product descriptions and ingredients for over 40,000 products, and product prices and offer codes.

This info could be a big asset to Yves Rocher’s competitors, allowing them to estimate store sales, order volumes and other trading data, the research team claimed.

“The exposed database also provides competitors with a list of Yves Rocher’s Canadian customers, complete with their name, age, contact information, and order histories,” it continued.

“Competing cosmetic and beauty companies could use this information to create highly effective advertising campaigns targeted at Yves Rocher customers. This could lead to Yves Rocher losing customers to competitors.”

The vpnMentor team also found an API vulnerability allowing them to access an application built for Yves Rocher employees by Aliznet.

Using employee IDs exposed in the previously detailed leak, hackers could log-in as Yves Rocher staff to obtain more data on the business and its customers and even add, delete or modify data in the company database, vpnMentor claimed.

What’s hot on Infosecurity Magazine?