Tarte Cosmetics, a cruelty-free cosmetics brand carried by major retailers like Sephora and Ulta, exposed the personal information of nearly two million customers in two unsecured online databases.
The databases were publicly accessible and included customer names, email addresses, mailing addresses, and the last four digits of credit card numbers, according to the Kromtech Security Centre, the firm that discovered the exposed data.
“At Tarte, keeping customer information fully secure is our No. 1 priority. We are aware of this potential issue, which we are actively investigating,” James Novara, Tarte’s vice president of e-commerce & IT, said in a statement. “At the same time, we are taking every measure available to ensure the highest level of protection for all corporate data, and we will keep our customers and partners informed as necessary,”
There’s some indication that Kromtech’s researchers weren’t the only ones to stumble on the data—according to the security firm, the database included a ransom note from a group known to seize unsecured databases.
“Databases also contained a ‘WARNING’ folder left by ransomware group CRU3LTY with its standard note demanding 0.2 bitcoins for recovering the database,” Kromtech’s chief security communications officer Bob Diachenko said. Although Cru3lty typically wipes data and demands a ransom to return it, the Tarte data appeared to be intact.
The data includes customers who apparently shopped on Tarte’s website between 2008 and 2017, Diachenko explained. Diachenko shared redacted screenshots of the data and the ransom message with Gizmodo. About 500 of the email addresses contained in the database are from .gov or .mil domains, he said.
Tarte appears to have managed its customer information with open-source database program MongoDB, which has been a popular target for ransomware attacks. Older versions of MongoDB didn’t require a password by default, and so databases were sometimes accidentally set up without any password. Although this insecure default isn’t in the latest version of MongoDB, there are still lots of older databases online that are easy targets for cyber criminals.
Diachenko cautioned that it’s difficult to determine exactly who exposed the data—it’s possible that the exposure could be attributed to a payment processing contractor, or a third-party retailer. However, after Kromtech notified Tarte of the exposed databases, they were taken offline. “The database names (‘tartecosmetics’ and ‘tartecosmetics_loopback’), the content of the files and description of goods, internal notes, credit notes—all this points to Tarte as being one of the potential owners, if not the database itself, but the data,” he explained.
Although the database doesn’t contain full credit card information, security experts said that the leak could still be dangerous for consumers—if hackers were willing to put in a little extra work.
The exposure of emails and addresses in the database might also raise privacy concerns, said Amanda Rousseau, a malware researcher with Endgame. However, since the database doesn’t appear to contain passwords or full credit card numbers, the risk is limited. “Having the address and email you can do some identity theft but without passwords and the full credit card info that’s all you can do,” she said.
On its own, that kind of data isn’t very valuable. But attackers could use the contact information and partial credit card numbers to launch a phishing campaign aimed at consumers, Diachenko warned.
“The very first thing I thought of when I looked at this information, especially since it includes email addresses, is phishing campaigns,” said Sophie Daniel, an information security consultant who specialises in social engineering attacks. As a self-described paid “corporate spy,” Daniel is frequently contracted by companies to conduct on-site penetration testing, one aspect of which is convincing employees to reveal personal information that’s supposed to remain confidential.
Even with the limited personal details contained in the Tarte breach, there’s plenty of opportunity for criminals seeking further access to even more sensitive data. If you wanted to be “diabolical” about it, Daniel said, the breach itself might prove a useful attack vector. For example, the hackers could email all two million customers while pretending to be Tarte notifying them of the breach. The email might suggest that Tarte takes “security very seriously,” while encouraging customers to sign in, “change passwords” or “verify information.” In this scenario, a link included in the email might lead customers to a phony Tarte site, the information submitted being delivered to the hackers, not the company.
The email might suggest, for instance, “while you’re there, go ahead and make sure we have the proper payment information,” Daniels said. “At two million customers, I can craft a pretty convincing phishing campaign to get a good deal of personal financial information out of a few thousand of their customers. And that’s being generous.”
There are, however, a few things Tarte can do now to protect its customers. The most important is promptly alerting them to the breach before a malicious hacker can—preferably in an email that doesn’t contain any links. Companies need to take special care, Daniel noted, to make sure their own breach solutions don’t appear fraudulent. Following revelations of its own recent breach, credit reporting agency Equifax screwed this up by directing breach victims to a suspicious-looking and easily-faked URL.
“That’s a problem with a lot of these companies,” Daniel said. “When they try to respond to data breaches, they make it look like a phishing email. They need to take special precautions.”