- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
AWS Misconfiguration Exposes Half a Million Cosmetics Customers
Hundreds of thousands of retail customers had their personal data exposed thanks to a misconfigured cloud storage account, Infosecurity has learned.
A research team at reviews site WizCase traced the leaky Amazon S3 bucket to popular Turkish beauty products firm Cosmolog Kozmetik.
The 20GB trove contained around 9500 files, including thousands of Excel files which exposed the personal information of 567,000 unique users who bought items from the provider across multiple e-commerce platforms.
Although the research team discovered no payment information, they did find customers’ full names, physical addresses and purchase details among the leaked orders. In some cases, phone numbers and emails were also exposed.
The oldest orders dated back to 2019, and they went right up to the present day. This indicates that the database is continually updated.
WizCase warned that many of those whose details were exposed may be unaware of the leak, as e-commerce marketplace users often don’t check the names of sellers.
Cosmolog Kozmetik, which also sells under the name “Marketlog,” is commonly found on major Turkish e-commerce platforms Trendyol, Hepsiburada, and Unishop.
WizCase warned that if threat actors managed to find and copy the exposed data, it might put these shoppers at risk of follow-on phishing and fraud, including refund scams. They could even suffer physical theft of packages if attackers track and steal shipments as they arrive at customers’ homes, it added.
“Cyber-criminals are always generating new methods to exploit anyone vulnerable on the internet,” WizCase warned in a blog post detailing the privacy snafu.
“For future purposes, we recommend always inputting the bare minimum of information when making a purchase or setting up an account on the internet. The less information you give hackers to work with, the less vulnerable you are to attack.”
Although WizCase contacted the Turkish CERT, Amazon and Cosmolog Kozmetik about the breach, none had replied at the time of writing.