Natura Data Breach Exposes Millions of Customer Records
In a significant cybersecurity incident, Brazil’s largest cosmetics firm, Natura, inadvertently left a vast trove of sensitive consumer information exposed online. A recent investigation revealed that the company neglected to secure hundreds of gigabytes of data, leading to potential unauthorized access to personal and payment details of its customers.
SafetyDetective researcher Anurag Sen identified two unsecured servers hosted on Amazon, with sizes of 272GB and 1.3TB, containing over 192 million records. This alarming discovery highlights serious vulnerabilities in Natura’s data protection protocols. The breach encompasses personally identifiable information for approximately 250,000 customers, including account login cookies and logs from various user activities.
The leaked information poses significant risks, as it includes Moip payment details for nearly 40,000 users who had integrated their accounts with Natura. This exposure raises ethical concerns, with critical data such as full names, dates of birth, and payment card access tokens being easily accessible. Notably, around 90% of the affected individuals are Brazilian, but the leak also extends to customers from neighboring countries like Peru.
Furthermore, the compromised servers contained logs detailing API interactions for the company’s website and mobile applications, revealing extensive production server information. Sen pointed out that the data leak further included Amazon bucket names and PDFs linked to formal agreements, raising further fears about potential exploitation by malicious actors.
Compromised personal information includes crucial identifiers such as mothers’ maiden names, hashed login credentials, and unencrypted API passwords. Additionally, a secret .pem certificate file was found on the open server, which holds the key to the EC2 Amazon server hosting Natura’s website. Should these credentials have been exploited, attackers could have injected malicious scripts into the company’s platform, allowing real-time theft of payment information from unsuspecting customers.
The vulnerability poses severe implications for Natura, particularly regarding further attacks that could capitalize on exposed server details. SafetyDetective attempted to alert the company about the breach last month but initially did not receive a timely response. Subsequent communication with Amazon prompted an immediate call to action to secure the servers.
As of now, it remains uncertain whether the exposed data was accessed by unauthorized users before the breach was rectified. This incident serves as a critical reminder for Natura customers to remain vigilant against identity theft. It is advisable for affected individuals to promptly change their account passwords and monitor financial statements for suspicious transactions.
The episode underscores the severe ramifications of inadequate security measures. The exposure of personally identifiable information not only heightens the risk of identity theft and fraud but also opens avenues for phishing and social engineering attacks. In light of these findings, the breach highlights an urgent need for enhanced cybersecurity practices within the cosmetics industry and beyond.
In the context of the MITRE ATT&CK framework, potential adversary tactics relevant to this breach include initial access through misconfiguration, exploitation of vulnerabilities in external services, and credential dumping of sensitive information. Business owners must recognize these threats and prioritize robust cybersecurity measures to safeguard sensitive customer data against similar breaches in the future.
