Cosmetics firm Avon faces new cyber security incident

Avon, the cosmetics brand that suffered an alleged ransomware attack in June 2020, has found itself at the centre of a new and significant security incident after inadvertently leaving a Microsoft Azure server exposed to the public internet without password protection or encryption.

Discovered by Anurag Sen of security tool comparison service SafetyDetectives, the vulnerability meant that anybody who possessed the server’s IP address could have accessed an open database of information.

The latest incident comes a little over a month after Avon confirmed a major security incident, although not confirmed to have been a ransomware attack, that took its back-end systems offline and left many of its renowned representatives unable to place any orders.

According to SafetyDetectives, the leaky server contained API logs for Avon’s web and mobile sites, which means that all production server information, including 40,000 security tokens and internal OAuth tokens, was exposed.

OAuth, an open standard authorisation framework for online token-based authorisation, enables end-user account information to be used by a third-party service such as Facebook or Twitter without exposing their credentials to it. Effectively, it acts as a go-between.

OAuth tokens expire after a certain amount of time, which means users must generate refresh tokens to get a new one. In the case of Avon’s vulnerability, both sign-in and refresh tokens were exposed, which means it would have been possible for a hacker to gain full access to a user account.

The server also contained internal logs that cyber criminals could have used to attack Avon’s IT infrastructure, or inject cryptominers, malware or ransomware into its systems. It is possible that this is what was behind the firm’s operational issues, although, as Sen said, it is very important to note that no link has yet been confirmed.

Other data exposed included personally identifiable information (PII) including full names, phone numbers, birth dates, email addresses, home addresses, GPS coordinates, payment amounts, Avon employee names (suspected), and admin user emails.

Sen said the SafetyDetectives team found close to 7GB of data and more than 19 million document records on the server, which has now been secured.

In a report detailing the team’s work, SafetyDetectives’ Jim Wilson said the breach could yet have a significant impact on Avon.

“First and foremost, exposed details could potentially be used to conduct identity fraud across different platforms and institutions,” he said. “Users’ contact details could be harnessed to conduct a wide variety of scams, while personal information from the leak could be used to encourage click-throughs and malware download. Personal information is also used by hackers to build up rapport and trust, with a view of carrying out a larger-magnitude intrusion in the future.

“Worryingly, the leak exposed reams of technical logs which could be used to not only target Avon customers, but also Avon’s IT infrastructure directly, leading to further security risks and financial ramifications.”

Wilson added: “Given the type and amount of sensitive information made available, hackers would be able to establish full server control and conduct severely damaging actions that permanently damage the Avon brand – namely, ransomware attacks and paralysing the company’s payments infrastructure.”

Raif Mehmet, Europe, Middle East and Africa (EMEA) vice-president at Bitglass, said that, unfortunately for Avon, the exposure of server data via cloud misconfiguration was something for which the data owners had to take responsibility.

“Time and again, cloud misconfiguration issues allow servers to expose sensitive data that is not protected or encrypted, enabling unauthorised access and a host of other headaches for the enterprise and its data subjects,” said Mehmet.

“A recent Gartner report cited that 99% of cloud security failures will be the customer’s fault through 2025, and consequently misconfigurations will continue to be a leading cause of data leakage across all organisations. To prevent future incidents and protect customer data, organisations need to have full visibility and control over their customers’ data.”

Censornet CEO Ed Macnair added: “The leaked information – including phone numbers, dates of birth and home and email addresses – provides hackers with everything they need to launch a multitude of sophisticated and targeted attacks. Cyber criminals only need to be given an inch and they will take a mile, and the company has certainly left itself and its customers in a vulnerable position. Besides the potential cyber security ramifications, as customers’ home addresses have been exposed, their physical safety could also be at risk.”

Avon had not responded to a request for comment on this incident at the time of writing.