Amazon Web Services Misconfiguration Exposes Half a Million Cosmetics Customers

Hundreds of thousands of retail customers had their personal data exposed thanks to a misconfigured cloud storage account, Infosecurity has learned.

A research team at reviews site WizCase traced the leaky Amazon S3 bucket to popular Turkish beauty products firm Cosmolog Kozmetik.

The 20GB trove contained around 9500 files, including thousands of Excel files which exposed the personal information of 567,000 unique users who bought items from the provider across multiple e-commerce platforms.

Although the research team discovered no payment information, they did find customers’ full names, physical addresses and purchase details among the leaked orders. In some cases, phone numbers and emails were also exposed.

The oldest orders dated back to 2019, and they went right up to the present day. This indicates that the database is continually updated.

WizCase warned that many of those whose details were exposed may be unaware of the leak, as e-commerce marketplace users often don’t check the names of sellers.

Cosmolog Kozmetik, which also sells under the name “Marketlog,” is commonly found on major Turkish e-commerce platforms Trendyol, Hepsiburada, and Unishop.

WizCase warned that if threat actors managed to find and copy the exposed data, it might put these shoppers at risk of follow-on phishing and fraud, including refund scams. They could even suffer physical theft of packages if attackers track and steal shipments as they arrive at customers’ homes, it added.

“Cyber-criminals are always generating new methods to exploit anyone vulnerable on the internet,” WizCase warned in a blog post detailing the privacy snafu.

“For future purposes, we recommend always inputting the bare minimum of information when making a purchase or setting up an account on the internet. The less information you give hackers to work with, the less vulnerable you are to attack.”

Although WizCase contacted the Turkish CERT, Amazon and Cosmolog Kozmetik about the breach, none had replied at the time of writing.

What’s Hot on Infosecurity Magazine?