Skip to main content

Estée Lauder hit with huge data breach

(Image credit: Image Credit: Everything Possible / Shutterstock)

Cybersecurity researcher Jeremiah Fowler of Security Discovery has uncovered a huge and completely unprotected customer database (opens in new tab) owned by the cosmetic giant Estée Lauder.

More than 440 million individual data entries were found sitting in plaintext in a cloud database. The records included email addresses and data from the local CMS. No payment data or sensitive employee information was compromised.

“This company has been a household name for over 70 years and had an annual revenue of $14.863 billion in 2019 – it seems logical that there would be a large dataset associated with the business,” Fowler wrote.

He added that he still hasn’t identified how many different people can be found in the database, instead rushing to alert the company to the issue. Estée Lauder managed to close the database within 24 hours of Fowler's alert, but it's unclear how long the data remained exposed.

Internal emails could be used for phishing (opens in new tab) attacks, with hackers posing as team members to trick employees into downloading malware. IP addresses, ports, pathways and storage information could also be used to map out the company’s internal LAN or WAN.

Neither the Estée Lauder newsroom nor Twitter account have yet referred to the incident or its resolution.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.