Tarte Cosmetics is the latest beauty brand to suffer a security breach, which revealed the personal information of around two million online customers.
Tarte suffered an email service ‘glitch’ back in September, which affected around 1,400 orders but the company claimed at the time that this was not caused by a security breach.
However, during what it described as a routine security audit on 18 October, security specialist Kromtech Security Center discovered a publicly accessible MongoDB database that appeared to belong to Tarte.
The personal details of customers who had used Tarte’s website from 2008 onwards were viewable.
“What immediately drew our attention was the fact that it was unprotected, available for anyone to view and even edit,” said Bob Diachenko, Chief Security Communications Officer at Kromtech.
Details included customers’ names and addresses, email addresses, purchase history and the last four digits of their credit card numbers.
Diachenko said the incident appeared to have occurred when a MongoDB server was set up without proper security measures. The administrators at Tarte left the security setting at the default of ‘public’ instead of changing it to ‘private’, thus exposing the data.
“After further investigation, researchers realised that there were at least two misconfigured MongoDB databases,” Diachenko wrote on Mackeepersecurity.
“What is even more disturbing is that apparently the data was accessed by the ransomware group Cru3lty, who left their standard ransom note inside the database demanding 0.2 bitcoins for recovering the database once the data has been deleted or encrypted.
“This discovery shows once again that many companies are still not putting enough enough focus on how they manage security risks.”
The data was not deleted, however, and the database appears to have been secured on 20 October.
Tarte was unavailable for comment at the time of going to press.