Natura cosmetics data breach: a quarter of a million customers exposed

One of the biggest online retailers in Brazil suffers a security incident that exposed personal data of customers

Data belonging to customers got exposed without the knowledge of the company for at least two weeks. Cosmetics company Natura left hundreds of gigabytes of private customer data related to their personal and payment information public without knowledge.^[1] Information of more than 250,000 customers was made publicly accessible, and anyone could have accessed those sensitive details without authentication or needed permission.^[2]

Anyone who has previously ordered beauty products from the retailer got affected because data regarding their personal information and payment details got exposed. In addition to Natura&Co customers, 40,000 people related to the third-party company named Wirecard also were affected since the information about customer payments was public for at least two weeks.

Researchers that discovered those 192 million records exposed stated:

The compromised server contained website and mobile site API logs, thereby exposing all production server information. Furthermore, several 'Amazon bucket names' were mentioned in the leak, including PDF documents referring to formal agreements between various parties.

Unprotected server revealed key/password to Amazon server that hosted Natura site

SafetyDetective researcher Anurag Sen discovered two unprotected Amazon servers that contained various items with personal information. One of them included the records belonging to the cosmetics retailer Natura.^[3] In total the leaked server contained 272 gigabytes of data. After the official reports and once the company was informed about a breach, the size of this data leak reduced to 27.2GB, as server logs show.

The latest server logs report showed that breach has varied over the course of days, and the latest estimate shows 69GB of records that got exposed publicly. This is common because some hackers and other malicious actors aim to conceal their actions by removing a good amount of records. Such behavior can hide the severity of the leak.

Besides the customer data, these protected servers had .perm certificate file with key/password to the EC2 Amazon server where the Natura website was initially hosted.^[4] It this key gets exploited, attackers can potentially directly inject a digital skimmer on the website and steal any users' passwords, payment card details at the same minute when they log in on the domain.

Data of 250,000 Natura customers exposed

Reports revealed that a quarter of a million Natura customers who shopped on the sites got affected by this data leak, and 40,000 customers of Moip got their account details publicly exposed. Access tokens without any security protocols were left exposed to Wirecard accounts too. These databases exposed:

• gender;
• full name;
• nationality;
• date of birth;
• telephone number;
• purchase history;
• MOIP account details;
• mother's maiden name;
• welcome email template;
• usernames;
• nicknames;
• email address;
• physical address;
• access tokens for wirecard.com.br;
• API credentials including unencrypted passwords;
• natura.com.br login credentials including based passwords.

The data leak was discovered on 12 April 2020, but according to reports it was exposed at least since the 26th of March. Anyone related to Natura cosmetics should take this security incident into consideration and expect malicious emails, phishing campaigns^[5] from scammers and hackers. Change passwords to your accounts and be aware of these possible risks.