Content, Governance, Risk and Compliance, Breach

Tarte Cosmetics Database Leak: Nearly 2 Million Customers Exposed

It’s astounding, really, when you stop for a moment to think about it: Far too many companies with large databases housing their customers’ personal information continue to step in you-know-what, no matter how many warnings, how many others have paid the price, no matter how many times security pros tell them what to do, no matter whatever.

What is it with these guys? It must be maddening for security defenders to say the same thing over and over again only to realize but a few are listening. Or maybe it’s just the opposite, knowing with certainty that their work is plentiful.

In yet another cautionary tale, Tarte Cosmetics, a New York City-based maker of beauty products sold by high-end retailers, left bare the personal records of nearly two million online customers after misconfiguring two of its open source MongoDB databases to allow for public access. Researchers from MacKeeper’s Kromtech Security Center discovered the operator error.

“On October 18th Kromtech security researchers discovered Mongo database that was connected to Tarte Cosmetics and contained data for almost 2 million US and international customers (exact number of records is 1,891,928) who shopped via their online store between 2008-2017,” wrote Bob Diachenko, Kromtech's chief communication officer, in a blog post.

This is what caused the data breach: Tarte admins made a security setting public instead of private, exposing the names, addresses, emails, buying histories and the last four digits of the credit card numbers for people who purchased online from Tarte from 2008-2017.

Unfortunately for Tarte customers, that’s not the end of the story. The ransomware group CRU3LTY apparently accessed the personal data, leaving their calling card in which they demanded .2 bitcoins for recovering the database once the information had been deleted or encrypted. The ransom crooks are known for seizing unsecured databases.

There’s no minimizing the risk to Tarte’s customers, Diachenko said. “With all of the other data leaks online it is possible that criminals could even cross reference this data against other breaches and get the customer’s full card number or more information,” he wrote.

Kromtech suggested Tarte was in no hurry to secure the 8.7 GB databases, waiting two days after the researchers contacted them to fix the problem.

“Companies who collect and store payment data will continue to have a very high exposure to cyberattacks and related security risks,” Diachenko said. “This discovery shows once again that many companies are still not putting enough enough focus on how they manage security risks.”

This incident comes on the heels of another alleged Tarte security breach last month when the company leaked 1,400 email addresses to their customers. Tarte denied their systems were hacked and blamed an issue with their automated email service.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.