top of page

Brazil's Biggest Cosmetic Brand Natura Exposes Personal Details of Its Users

Brazil's biggest cosmetics company Natura accidentally left hundreds of gigabytes of its customers' personal and payment-related information publicly accessible online that could have been accessed by anyone without authentication.

SafetyDetective researcher Anurag Sen last month discovered two unprotected Amazon-hosted servers—with 272GB and 1.3TB in size—belonging to Natura that consisted of more than 192 million records.

According to the report Anurag shared with The Hacker News, the exposed data includes personally identifiable information on 250,000 Natura customers, their account login cookies, along with the archives containing logs from the servers and users.

Worryingly, the leaked information also includes Moip payment account details with access tokens for nearly 40,000 users who integrated it with their Natura accounts.

"Around 90% of users were Brazilian customers, although other nationalities were also present, including customers from Peru," Anurag said.

"The compromised server contained website and mobile site API logs, thereby exposing all production server information. Furthermore, several 'Amazon bucket names' were mentioned in the leak, including PDF documents referring to formal agreements between various parties," Anurag said.

More precisely, the leaked sensitive personal information of customers includes their:

  • Full name

  • Mother's maiden name

  • Date of Birth

  • Nationality

  • Gender

  • Hashed login passwords with salts

  • Username and nickname

  • MOIP account details

  • API credentials with unencrypted passwords

  • Recent purchases

  • Telephone number

  • Email and physical addresses

  • Access token for

Besides this, the unprotected server also had a secret .pem certificate file that contains the key/password to the EC2 Amazon server where Natura website is hosted.

If exploited, the key to the server potentially could have allowed attackers to directly inject a digital skimmer directly into the company's official website to steal users' payment card details in real-time.

"Exposed details about the backend, as well as keys to servers, could be leveraged to conduct further attacks and allow deeper penetration into existing systems," the researcher warned.

SafetyDetective tried reporting its researcher's findings directly to the affected company last month but failed to receive any response on time, after which it contacted Amazon services, who then asked the company to secure both the servers immediately.

At the time of writing, it's unknown if the unprotected servers and the sensitive data stored on them were also accessed by a malicious actor before they went offline.

So, if you have an account with Natura, you are advised to stay vigilant against identity theft, change your account password and keep a close eye on your payment card transactions for signs of any suspicious activity.

"Instances of personally identifiable information being exposed could potentially lead to identity theft and fraud since they can be used by attackers for identification in various sites and locations," the researcher added. "The risk of phishing and phone scams is also raised by the Natura data leak."


bottom of page