Unprotected Elasticsearch Database of Cosmetics Brand Yves Rocher Exposes Data of 2.5 Million Customers

• The database belonged to Aliznet, a French consulting company that provides services to companies around the world.
• A majority of affected customers were located in Canada.

Yves Rocher, a cosmetic company, has exposed data of millions of its customers after researchers discovered an unsecured Elasticsearch database. The database belonged to Aliznet, a French consulting company that provides services to companies around the world.

What data was exposed?

Discovered by researchers at VPNMentor, the misconfigured database primarily contained sensitive information of Yves Rocher, a client of Aliznet. It included private information such as first and last names, phone numbers, email addresses, birth dates and zipcode of about more than 2.5 million customers associated with the cosmetic brand.

The records also revealed something potentially sensitive called an FID number for each customer. The FID numbers are used by several countries for international shipping or tax purposes.

A majority of affected customers were located in Canada.

Order records also exposed

Apart from personally identifiable information, VPNMentor researchers had also discovered records of orders placed by more than six million customers.

“For each order, we were able to view the transaction amount, currency used, delivery date, and the location of the store where the order was placed. The order records also included the full name of the employee who processed each order, along with their employee ID,” added researchers.

Internal data also leaked

In addition to customers’ personal details, internal information related to Yves Rocher was also exposed. This included:

• Statistics describing store traffic, turnover, and order volumes;
• Product descriptions and ingredients for over 40,000 retail products;
• Product prices and relevant offer codes.

“Other parts of the leaked database linked to Aliznet’s corporate resources. These included PDF files containing previous Aliznet job postings and client success stories, Aliznet employee profile portraits, website media, and other promotional materials,” researchers explained.

Worth noting

The research team also discovered another serious vulnerability in the exposed Elasticsearch database. This enabled the researchers to access the API interface created by Aliznet for Yves Rocher. It is believed that hackers can exploit this vulnerability to steal additional information about the company and its customers.