Yves Rocher, the largest cosmetics company, suffers a data breach; all customers’ information leaked

Not only large tech companies, enterprise services, banking institutions or government organizations are affected by the activities of malicious hackers. This time, web application security specialists reported a data breach in a third-party service that has resulted in the data leakage of millions of customers of the major French cosmetics company Yves Rocher.

The incident occurred due to the poor configuration of a database of the tech company Alzinet, specialized in digital transformation and which, in addition to Yves Rocher, works for other large companies, such as Lacoste.

A group of web application security experts from the vpnMentor firm managed to access one of the company’s confidential databases, where the records of around 2.5 million Yves Rocher customers in Canada were stored. Among the data exposed during the incident are:

  • Full names
  • Phone numbers
  • Email addresses
  • Birth dates

In addition to this personal data, researchers accessed the records of more than six million company operations data, including order amount, currency used for payment, delivery dates and location of the store to which the purchase orders were placed.

As if that wasn’t enough, web application security experts discovered that each order is linked to a unique customer identification key. “By comparing the company’s customer records with purchase orders it was possible to identify which users placed each order,” the experts added.

The data breach not only exposed information from the company’s customers. In their report, experts mention that the database also stored data about Yves Rocher’s operations, including some metrics on users’ traffic in some branches, sales and order volumes, details about some products, raw material data and sales codes.

According to web application security specialists from the International Institute of Cyber Security (IICS), the leaked information about the company’s internal operations could be a matter of great interest to some of its competitors, so the exposing this database is a really inconvenient issue for everyone involved. “If other companies accessed this information they would have the resources to deploy marketing campaigns specifically targeted to Yves Rocher customers, leaving the company at risk of losing a significant portion of its customers worldwide” the experts added.

This is not the first time a cosmetics company suffers a similar incident. A few weeks ago, thousands of Asian territory customers of the French company Sephora began receiving a notification from the company, informing that a large amount of information was leaked from one of the company’s databases. Sephora asked customers to reset their passwords, as well as offering information monitoring services to prevent malicious use of the leaked data.