The vulnerability in question affected primarily the Canadian customers of the company, who had ordered products online or created an account on the merchant site. Among the data available online, their names, phone numbers, emails or dates of birth.
vpnMentor has also, and still through this flaw, was able to access a list of six million orders made on Yves Rocher's website. The amount of transactions made, the currency used, the date and the delivery point were easily accessible.
Temporary access
"An event was organized at Yves Rocher a few days ago, for the occasion, an integration server was opened for testing, which was not protected enough," Aliznet told BFM Tech. "The flaw has since been resorbed, and the data available was not necessarily up to date and quite disparate, although it may have included potentially real-life information samples."
The exposure of these data, although temporary, carries risks. This same information can be a goldmine for hackers who are used to handling them. "Access to physical addresses, email addresses and phone numbers can allow malicious actors to engage in phishing operations or launch ransomware," notes vpnMentor.
As a reminder, phishing, or phishing, is the attempt to steal personal or banking information by indirect means, including the sending of fake mails. These operations can also pave the way for ransomware, which will lock in a victim's data and require ransom to be recovered.
Source link
https://www.bfmtv.com/tech/yves-rocher-victime-d-une-faille-de-securite-les-donnees-de-25-millions-de-clients-exposees-1759542.html
