A research team at SafetyDetectives has discovered an unprotected server for direct-sales beauty company Avon and found more than 7GB of data, including more than 19 million records, open and available with no authorization required.
The information on the server included both critical details about individuals and administrative data, such as OAuth tokens and administrative user names. Between the two types of data, attackers could conduct extensive identity theft operations and gain access to significant administrative capabilities on the server.
According to the researchers, around the time of their discovery in early June, Avon issued a pair of statements indicating that a data breach had occurred and was being remediated as systems were restarted. Avon noted that no financial data was involved in the breach because that data was not stored on the server involved.
Read more here.