Yves Rocher has been the victim of personal data leaks because of her hacking attack on the French consulting firm, Aliznet. Personal information belonging to customers of companies that cooperate with the French company Aliznet, including cosmetics giant 2,5 million customers Yves Rocher found in the hands of hackers.
The Paris-based consulting firm has previously served IBM, Salesforce, Sephora, Louboutin and Inwi. Note that most sensitive data belong to Canadian Yves Rocher customers.
The exposed database was discovered by vpnMentor on an unprotected Elasticsearch server after researchers working for VPN review site discovered an unprotected API interface for an Aliznet application created by Yves Rocher. The researchers said that the API gave them access to an explorer they were using hackers could use to add, delete, or modify data in the company's database.
Along with customer names, phone numbers, emails, date of birth, and postal codes, the files included customer IDs, which could be used in conjunction with Yves Rocher's six million older customer orders. to identify further customers based on their markets. The records also include the names of the employees who processed each order and the location of the store.
The researchers said that the leaks client files could be exploited by hackers to execute phishing schemes, attacks ransomware and bypass the identity of two factors. His criminals cyberspace they could also gather information to commit fraud credit cards and identity theft.
The leaked data also showed the traffic store, turnover, order volumes, product prices and promotional codes, along with Aliznet corporate information, including job postings and employee profiles.
The researchers added that the breach may be the beginning of evil and that there may be other non-breaches. safe databases and applications owned by other Aliznet customers. It is not known if hackers managed to access the data or use it for malicious purposes.