The Estée Lauder Companies Inc. accidentally left over 440 million records publicly exposed after failing to password-protect a corporate database, according to a researcher who spotted the oversight.
The misconfigured database was found to contain user emails in plain text, including those sent from internal email addresses; references to reports and internal documents; and IP addresses, ports, pathways and storage information. Additionally, it stored Production, Audit, Error, CMS and Middleware logs. All in all, a grand total of 440,336,852 was left open for public discovery.
Security Discovery researcher Jeremiah Fowler, who authored the blog post, said he discovered the exposed database on Jan. 30 and immediately disclosed the error to Estée Lauder. Reportedly, the New York-based personal care and make-up manufacturer fixed the problem that same day.
In the blog post, Fowler explained the significant of finding middleware in the database: “Data management, application services, messaging, authentication, and API management are all commonly handled by middleware,” wrote Fowler. “Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised. In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network.
It is unknown how long the data leak existed, how many user email addresses were affected and if any additional unauthorized parties were able to access the data.
Fowler told Forbes that the database “appeared to be a content management system that contained everything from how the network is working to references to internal documents, sales matrix data, and more.”
SC Media reached out to Estée Lauder for comment.