Hundreds of thousands of customers of a cosmetics company had their personal data exposed thanks to a misconfigured cloud storage account. The team of security researchers at analytics site WizCase tracked incorrectly configured S3 storage buckets (object buckets) from Amazon Web Services (AWS) with leaks from Turkish beauty company Cosmolog Kozmetik.
The leak contains 20GB of data and nearly 9,500 files, including thousands of Excel files that exposed the personal information of 567,000 users who purchased the retailer’s items across multiple e-commerce platforms.
Although the research team didn’t uncover any payment information, they found the customers’ full names, physical addresses and purchase details among the leaked orders. In some cases, phone numbers and emails were also exposed. The oldest orders dated from 2019 to the present day. This indicates that the database is continually updated, as Infosecurity has raised.
WizCase points out that many of those whose details have been exposed may not be aware of the leak, as users of the e-commerce marketplace often don’t verify the names of sellers.
Cosmolog Kozmetik, which also sells under the name Marketlog, is commonly found on leading Turkish e-commerce platforms Trendyol, Hepsiburada and Unishop.
WizCase warns that if threat agents were able to find and copy the exposed data, it could put those buyers at risk for phishing and fraud, including refund schemes. They can even suffer physical theft of packages if intruders track and steal shipments once they reach customers’ homes, the site added.
“Cybercriminals are always coming up with new methods to exploit anyone vulnerable on the Internet,” points out WizCase in a blog post detailing the privacy issue. “For future purposes, we always recommend entering as little information as possible when making a purchase or opening an account on the internet. The less information you give hackers to work with, the less vulnerable you are to attacks.”
Although WizCase contacted Turkish CERT, AWS and Cosmolog Kozmetik about the breach, none of them had responded as of this writing.