The data breach performed by Cru3lty hackers affected over 2 million of Tarte Cosmetics revealing their addresses, names, purchase history, credit card information, and emails.
Now, this has been a busy week for data leaks; this week has seen the new Appleby data breach, the Fortinet data breach, and others. In this case, Tarte Cosmetics was the target, during the data leak, millions of people’s personal information had come to light exposing very personal data to the public.
Clients are feeling insecure about buying again at Tarte’ since the data exposed in this leak has included emails, names, addresses, last four digits of credit card numbers and purchase history. Researcher, and security expert Bob Diachenko together with his team in Kromtech, a technology related company, revealed the data breach on October 18 and sent Tarte several security alerts warning about what they had discovered. Although the researchers at Kromtech thought the warnings had been ignored because there was no response from Tarte, the companies’ databases were secured 2 days after receiving the first warning.
The data breach affected a large spectrum of online clients, exposing sensitive data from US-based and international clients. It is also noted that the method of publication used by the hacker group was through the use of two non-secure databases from MongoDB. The New York-based Tarte offers cosmetic products at major stores including Sephora and Macy’s Ulta.
In reaction to these last events, Diachenko said in a worried tone “It feels like consumers are gambling with their data with every purchase.” He also added in respect to the latest increase in data leaks “There seem to be hacks, security breaches, and massive data leaks almost every week.”
The Kromtech expert Diachenko also claimed the exposed data was also accessed by the prolific cybercriminal and ransomware group Cru3lty. The hackers’ usual method of operation is to wipe data and demand a ransom in exchange for returning the data. After the data has been hijacked they leave a standard ransom note giving instructions on how to recover the database after paying an amount of 0.2 bitcoins.
Diachenko added that the hackers could use the last four digits of the credit card in order to trick folks into believing they are confirming their credit card with a trustworthy company. In addition, he has declared that criminals could cross-reference this data against other data leaks and get customers’ full card number or expand the information.
James Novara, Tarte’s VP of e-commerce & IT, said in a statement regarding the data breach “At Tarte, keeping customer information fully secure is our No 1 priority. We are aware of this potential issue, which we are actively investigating. At the same time, we are taking every measure available to ensure the highest level of protection for all corporate data, and we will keep our customers and partners informed as necessary,” reads the report made by Gizmodo.