Researchers have uncovered a misconfigured cloud server operated by cosmetics brand Avon, allowing the public to access more than 19 million records. SafetyDetectives researchers found the Elasticsearch database on an Azure server that contained no password protection or encryption, meaning that anyone who has the server’s IP address could access Avon’s database.
The database contains 7GB of data and was left open for nine days before discovery on June 12. Avon is a global cosmetics company that currently boasts over $5 billion in annual worldwide sales. The information exposed in the breach includes personally identifiable information on customers and employees, including phone numbers, full names, GPS coordinates, home, and email addresses, date of birth, and more. In some cases, technical server information such as internal logs, account settings, and security tokens was exposed.