Brazil’s cosmetic giant Natura server misconfiguration exposes data of 192 million users with payment card data
This is a mistake that could impact millions of Brazillian citizens. A multi-billion-dollar cosmetics company from Brazil, Natura could have exposed data including Credit and Debit Cards of nearly 192 million users.
Natura, based in Sao Paulo is owned by The Natura & Co Group, a Brazillian multinational with footprints in 73 countries across the globe. It also owns brands like Aesop, The Body Shop, and Avon. According to researchers from Safety Detectives, Natura could have leaked highly sensitive, personal, and financial data of its customers. Safety Detectives researchers found that the customer data was saved on two misconfigured databases publicly available for anyone to access without any security authentication. The researchers said the databases contained more than 192 million records. One database hosted records worth 1.3TB while the second database had 272GB of data.
The researchers revealed that out of these 192 million records, records of nearly 250,000 Natura customers have already been leaked by unknown entities without Natura’s knowledge. Payment information from 40,000 customers related to a third-party company, Wirecard, was also publicly available for over 2 weeks. Wildcard provides MoIP (Mobile over Internet Protocol) services to Natura
The research team led by Anurag Sen, discovered a significant data leak including various items of personal information on a 272-gigabyte Amazon-hosted server, located in the US. The leaked information contains:
- Full name
- Mother’s maiden name
- Date of Birth
- Natura.com.br login credentials including hashed passwords
- Welcome email template
- Username and nickname
- MOIP account details
- API credentials including unencrypted passwords
- Previous purchases
- Telephone number
- Email and physical addresses
- Access token for wirecard.com.br
The researchers also identified confidential details related to the company’s cyberinfrastructure such as a .pem certificate key along with “client secret.”
Safety Detectives informed Natura and Amazon about the misconfigured servers and the data leak. Natura did not take the issue seriously while Amazon has reconfigured the data servers and stopped them from any further customer records.