Cruelty-Free Cosmetics Brand Tarte Exposes Personal Data of 2 Million Customers


Popular cosmetics brand, Tarte, has exposed personal information of nearly two million customers, including their mailing addresses and the last four digits of their credit cards. The New York based cosmetics company left two databases insecure, exposing data of millions of its online customers.

Security researchers at Kromtech discovered a Mongo database connected to Tarte Cosmetics and carrying data of almost two million US and international customers left exposed. Customers who shopped from the company between 2008 and 2017 are affected from this incident. Researchers wrote that the MongoDB server was set up without the proper security measures, since the admins had made the security setting as "public" instead of private.

NVIDIA Hit By Major Cyberattack That May Have ‘Completely Compromised’ Parts of Its Business

The database carries a total of 1,891,928 customer records (about 500 of the email addresses contained in the database are from .gov or .mil domains), carrying the following information:

  • Customer name
  • Customer address
  • Customer email
  • Purchase history
  • Last 4 digits of credit card

Before researchers, criminals had already accessed these insecure Tarte databases

The data was apparently accessed by the ransomware group "CRU3LTY" who according to the security researchers had left their ransom note inside the database demanding 0.2 bitcoins for recovering the database.

This latest security disaster has come to the front only a few weeks after the cosmetics brand made it to the headlines for sending over 50 emails (addressed to different people) to customers who had recently ordered products online.

When the recipient would click on the order status link sent in the email, it took them to Tarte's website, showing their information, including the last 4 digits of their credit card information.

Security Researcher Develops Normal-Looking Lightning Cable With a Chip That Can Steal Passwords

At the moment it is unclear if the two incidents are related (we have reached out to Tarte for confirmation), but at the time James Novara, vice president of e-commerce & IT at the company, had promised "fully refunding the affected customers" and sending them "some new holiday items to make up for any inconvenience this issue may have caused." It'd be interesting if Tarte promises something similar to ALL two million of its online customers.

While Kromtech researchers didn't get any response from Tarte despite multiple attempts at contacting the company, Tarte did secure both the databases (3.8GB and 4.9GB in size) after two days of first notice. In a statement, the company has said that "customer information fully secure is our No. 1 priority." Novara added that the company is "actively investigating" the incident and is "aware of this potential issue."

"At the same time, we are taking every measure available to ensure the highest level of protection for all corporate data, and we will keep our customers and partners informed as necessary."

Possibilities of identity fraud, phishing attacks, scam calls

While the database hasn't exposed complete credit card information, security experts warn that the data exposure could put affected customers at risk. Among other cases, customers are more at risk of falling for targeted attacks where criminals call people purporting to be from their bank, insurance or other financial institutes, claiming to verify themselves by providing the last digits of the victim's credit card and/or complete mailing address.

Hackers can also start a phishing campaign targeting Tarte's own customers and using this hack to push them to change their password or confirm their complete payment information through legitimate-looking emails.

"In this instance they would already have the last 4 digits of the credit card on file and with 2 million customers they would have all of the personal information needed to trick them into believing they are confirming their credit card with a company they trust," Bob Diachenko, Kromtech's Chief Communication Officer wrote. "With all of the other data leaks online it is possible that criminals could even cross reference this data against other breaches and get the customer’s full card number or more information."

With the evidence of at least one criminal group already having access to this data, Tarte customers should be wary of any emails or calls coming from Tarte itself or others that may ask them to change the passwords through emailed links or confirm payment details.

Kromtech added that Tarte's lack of security protections is yet "another wake up call for companies to put security measures in place and prepare for unpredictable yet inevitable nature of cyberattacks."