Photograph of a Sephora Banner
© Faiz Zaki/Shutterstock.com

Our VPNOverview.com security team discovered a large data breach affecting the customers of cosmetics giant Sephora. The team, led by cybersecurity researcher Aaron Phillips, confirmed that the breach contains the personally identifiable information (PII) of nearly half a million shoppers.

The affected users were members of a Sephora rewards program prior to 2019. We compiled an analysis of the breach, a timeline, and screenshots of the database Sephora leaked.

What Data Was Exposed?

The data exposed in this breach includes:

  • Card numbers that seem to correspond with Sephora Beauty Inside
  • Account numbers
  • Full names
  • Email addresses
  • Phone numbers
  • Sephora rewards points

The data was leaked when Sephora exported information from their database and stored it on the Amazon cloud.

Screenshot of a database with Sephora customer information

Our team took the screenshot above, which is a small snippet of the exposed data. Sephora closed the breach a few days later. The private information is visible in the following fields: fullnameemailcard_numbers, and phone_number.

Impact of the Breach

We found that over 490,000 Sephora customers were impacted by this breach. The affected customers are located in Mexico and created their accounts before 2019. Based on the data we recovered, we believe the Sephora customers affected by this breach were all members of a Sephora rewards program.

Number of people affected Sephora breach

The card numbers that were leaked, seem to correspond to Sephora Beauty Pass information, such as that belonging to “Sephora White” members. Sephora left the customer data in their cloud storage, accessible to everyone on the internet.

Data Accessible Through Unsecured AWS S3 Bucket

The cause of the breach was a database backup file left publicly accessible on the internet. It was stored in an Amazon Web Services (AWS) bucket belonging to Sephora.

The data was accessible because Sephora used a permissive bucket security policy. This policy allowed everyone on the web to view the contents of the bucket. This posed a serious risk to the company’s customers.

Files leaked during a Sephora breach

Our security researchers believe that this data was left accidentally unsecured after a 2019 migration. The data may have been accessible for years. Sephora closed the breach shortly after we brought it to their attention.

Breach Resolved Following Responsible Disclosure

After discovery, our security team contacted Sephora as part of responsible disclosure. We confirmed that Sephora secured the compromised data by removing access to the bucket. We destroyed the PII that we recovered, and the breach has been resolved.

Timeline of the Breach

The following table contains the exact timeline of the Sephora breach.

Event Date
Security Researcher Aaron Phillips discovered the breach December 4th, 2021
Notified Sephora using admin@sephora.mx December 5th, 2021
Notified Sephora using externalcomms@sephora.com December 8th, 2021
Sephora closed the breach December 17th, 2021

Sephora participates in a HackerOne bug bounty program (update September 2022: page seems to be unreachable). However, the program doesn’t accept bugs unless they impact a “sephora.com” domain. In this case, their bounty program wasn’t broad enough to cover the breach, since it affected an external domain.

Not Sephora’s First Cybersecurity Incident

This is not the first time customer records belonging to Sephora have been exposed online. On July 30th, 2019, beauty giant Sephora suffered a similar breach of PII customer data. Customers in Malaysia, Singapore, Indonesia, Thailand, Philippines, New Zealand, and Australia were at risk at the time.

Sephora subsequently notified the Personal Data Protection Commission (PDPC) about the issue. Additionally, the company immediately requested help from a leading cybersecurity provider. As a result, existing customer passwords were reset as soon as possible and vulnerabilities were patched. Since then, Sephora has been offering a free customer data monitoring service to affected customers.

According to Sephora’s official letter to customers following the exposed database in 2019, customers’ financial accounts and other data were not compromised or accessed for malicious purposes.

However, it is important to remember that cybercriminals are always on the lookout for exposed data, and they are good at evading detection. This means that it is impossible to ascertain with full confidence that the exposure was not exploited, until someone realizes something is off, for example because they have become a victim of identity theft or because money is missing from their account.

Amazon Web Services Vulnerable to Misconfiguration

This is not the first time Amazon customers have had “leaky bucket” issues. Previously, millions of Facebook records were left lying around in a publicly accessible bucket. Moreover, SEGA Europe recently suffered a massive breach due to a misconfigured Amazon Bucket. So, why are Amazon’s S3 buckets often the cause of breaches?

S3 buckets are similar to a folder on any computer. These folders sit in the Amazon cloud, where companies pay to keep their data for global accessibility, speed, and redundancy. S3 Buckets are not inherently insecure, and bucket storage policies should be made as restrictive as necessary to keep data secure.

However, when bucket security policies are not configured correctly, private data might be exposed. Amazon warns customers not to use permissive security policies unnecessarily. Even so, there are good reasons why an AWS customer might make a bucket publicly accessible. For example, to host images for a website. Unfortunately, too often companies are careless and put PII and other private information in public buckets. That seems to have been the case with Sephora.

The Importance of Cybersecurity in 2022

The past few years have seen an unprecedented rise in sophisticated cyber attacks that have had catastrophic consequences for not just individual organizations, but the internet at large. Some recent examples from 2020 and 2021 include the SolarWinds breach and the Log4Shell incident.

Cybersecurity companies know that strict defense measures are the number one priority for any organization out there, because of the amount of sensitive data being kept and shared online. Businesses need to understand and assess their internal and external risks well. This Sephora case proves that any company in any industry can put their data at risk due to cybersecurity shortcomings and lack of afterthought.

VPNOverview.com security researcher Aaron Phillips remarked: “I think this Sephora breach really shows that these information leaks can affect anyone, and they ultimately lead to identity theft. Every business needs to raise its standards and follow best practices if they’re going to retain customer data. Too many bad guys make money buying and selling information that’s been left lying around in the cloud.”

Leave a comment