Yves Rocher hit by wider breach. It is reported researchers at security research firm vpnMentor discovered access to a private Aliznet database containing 2.5 million Canadian Yves Rocher customers on an unprotected Elasticsearch server. The leaked data includes customer name, phone number, email, date of birth, and postal code. The researchers also found more than 6 million customer orders in the database, including transaction amounts, currency used, delivery dates, and store locations. Each order is associated with a unique customer ID.
In addition to these sensitive customer personally identifiable information (PII), the researchers also found Yves Rocher internal data, including store traffic, turnover, order volume statistics, and product descriptions, ingredients, prices, and quotation code of more than 40,000 products. The database leaked information also provided Yves Rocher’s competitors with a list of Canadian customers, including their name, age, contact details and order history.
The researchers also discovered an API vulnerability that allowed them to access applications built by Aliznet for Yves Rocher employees. Through leaked employee IDs, hackers can log in to Yves Rocher to get more data about the business and customers, and even add, delete, and modify data in the company’s database.
Researchers warned, “The exposed database also provides competitors with a list of Yves Rocher’s Canadian customers, complete with their name, age, contact information, and order histories. Competing cosmetic and beauty companies could use this information to create highly effective advertising campaigns targeted at Yves Rocher customers. This could lead to Yves Rocher losing customers to competitors.”
Published by Emerson L. Sullivan & last updated on September 6, 2019 2:53 am