Natura, a company of products for personal care and beauty, suffered a data breach that compromised the personal information of more than 250 thousand customers who had ordered products from its official website. Safetydetective’s security experts discovered two unprotected servers containing databases with over 192 million Nature records hosted on Amazon by 272 gigabytes and 1.3 terabytes.
In addition, the unprotected server also had a secret PEM (Privacy Enhanced Mail) file which in turn contained the password for another cloud-based Amazon server in which the Natura website is hosted. Such a password could have allowed malicious attackers to install a skimmer on the company’s website to steal users’ payment card details in real time.
It was found that the payment information of 40,000 customers from a third party company was also affected by the date Breach.
Although the data breach was first discovered on April 12, 2020, researchers at Safetydetective have stated that they are able to confirm that hundreds of gigabytes of information have been exposed since March 26, 2020.
According to experts, the data on display includes personal identification information (PII) of customers such as first name, mother’s maiden name, nationality, gender, hash access password, username and nickname. In addition, other important data that were exposed in the computer crash include, account details, API credentials with unencrypted passwords, recent purchases, phone number, email and physical addresses, an access token for electronic payment systems, account access cookies, along with archives containing logs from servers.
SOURCE: FEDERPRIVACY