Consumer Data Not Exposed in Estée Lauder Data Breach

A Jan. 30 data breach linked to cosmetics giant Estée Lauder exposed more than 440 million records, but none apparently contained customers’ payment information or privileged information about employees.

“To the best of my knowledge, the database did not contain payment data or sensitive employee information based on what I personally saw,” said a blog post from Jeremiah Fowler of, who discovered the breach.

Reporting on the breach, Forbes published this statement from Estée Lauder:

“On Jan. 30 we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet. This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data. The Estee Lauder Companies takes data privacy and security very seriously. As soon as we became aware, we took immediate action to secure the data and notify appropriate parties.”

It took Fowler some time and effort to effectively communicate the breach to Estée Lauder.

“I immediately sent a responsible disclosure notice Estée Lauder alerting them to the exposure,” he wrote. “As in most large companies when reporting a data exposure, it is usually extremely difficult to get through the firewall of gatekeepers, but several hours later and multiple emails the data was still exposed. After calling every phone number I could find I was able to reach someone by phone who then promised to pass on the information. The company acted fast and professionally and restricted public access to the database on the same day as my notification.”

Fowler’s list of what he discovered before reaching out to Estée Lauder included:

  • 440,336,852 logs and records that should not have been publicly exposed online.
  • “User” emails in plain text (including internal email addresses from the domain)
  • Production, audit, error, CMS, and middleware logs were exposed.
  • References to reports and other internal documents.
  • IP addresses, ports, pathways, and storage info that cyber criminals could exploit to access deeper into the network.

Estée Lauder’s digital pressroom makes no mention of the data breach, nor is it referenced on the beauty brand’s social media.

Other recently revealed data breaches include one that exposed credit card information, including CVV codes, belonging to ecommerce customers of Hanna Andersson, the Portland, OR-based children’s clothing brand with Swedish roots. It was hacked in a magecart attack last fall that only came to light when affected customers were notified in a letter on Jan. 15.

Amid the 2019 holiday shopping season, Visa warned ecommerce merchants about a new JavaScript skimmer targeting customer data entered at the point-of-sale (POS) in payment forms on sellers’ websites. The Visa Payment Fraud Disruption’s (PFD) eCommerce Threat Disruption (eTD) program named the skimmer Pipka based on its exfiltration point (where data is extracted) at the time of the analysis.

“Pipka was identified on a North American merchant website that was previously infected with the JavaScript skimmer Inter, and PFD has since identified at least sixteen additional merchant websites compromised with Pipka,” Visa said at the time. “PFD previously reported on the use of Inter to target service providers with malicious skimming code that was integrated into ecommerce merchant environments.”