Select Page

Brazil’s biggest cosmetics company Natura accidentally left hundreds of gigabytes of its customers’ personal and payment-related information publicly accessible online that could have been accessed by anyone without authentication.

SafetyDetective researcher Anurag Sen last month discovered two unprotected Amazon-hosted servers—with 272GB and 1.3TB in size—belonging to Natura that consisted of more than 192 million records.

According to the report Anurag shared with The Hacker News, the exposed data includes personally identifiable information on 250,000 Natura customers, their account login cookies, along with the archives containing logs from the servers and users.

Worryingly, the leaked information also includes Moip payment account details with access tokens for nearly 40,000 users who integrated it with their Natura accounts.

“Around 90% of users were Brazilian customers, although other nationalities were also present, including customers from Peru,” Anurag said.

“The compromised server contained website and mobile site API logs, thereby exposing all production server information. Furthermore, several ‘Amazon bucket names’ were mentioned in the leak, including PDF documents referring to formal agreements between various parties,” Anurag said.

images from Hacker News