One of the world’s most popular beauty product brands, Avon, has been found to have a significant data breach, which was discovered on its web server through an investigation in June 2020, publicly exposing data without password protection or encryption. Anyone who processed the servers IP-address could instantly access the business’s ‘open’ database.
In a recent statement, Avon declared that no e-financial information was at risk, as this is not stored on its main e-commerce website. The company has taken steps to rectify the vulnerability, ensuring that this can’t re-occur, because of this, their online operations are at different stages all around the world, some regions are still offline.
Avon have also stated that, to their knowledge to date, no personal data has been actually breached, even though it was exposed through the System’s vulnerability.
What was exposed?
The major damage liability was exposure of ‘OAuth tokens’ ”.( OAuth is an authorisation protocol - or in other words, a set of rules - that allows a third-party website or application to access a user's data without the user needing to share login credentials. They usually expire after a limited time) The data breach revealed that over 40,000 security tokens had been ‘exposed’. This information is sufficient for cyber-criminals to gain full access to an account.
Avon.com’s server also contained internal logs that could be reused by malicious hackers to harm the IT infrastructure of the company, by planting malware or conduct ransomware attacks on the server’s owners, as just 2 examples.
Below is some of the information exposed:
- Full names
- Phone numbers
- Dates of birth
- Email addresses
- Physical addresses
- GPS coordinates
- Last payment amounts
- Administrator user emails
Data Breach Impact
Avon.com’s server breach could pose several ‘potential’ dangers to affected users.
With any of the information exposed from the above list, Users details could be used for identity thefts, or the contact details can be used in wider scams, such as ‘phishing’ or ‘spear phishing’
Given the type and amount of sensitive information made available, hackers would be able to establish full server control and conduct severely damaging actions that permanently damage the Avon brand; namely, ransomware attacks and paralyzing the company’s payments infrastructure.
Preventing Data Exposure
Here are some essential points on how to protect our private data online and help us to
- Be cautious of what information you give out and to whom.
- Check that the website you are on is secure (look for https and/or a closed lock).
- Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.).
- Create secure passwords by combining letters, numbers, and symbols.
- Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be.
- Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust.
- Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks.
- Use a good and reputable Antivirus Security Software, some of the best security software are: Norton 360 or McAfee Antivirus Software.