Report: Aliznet Data Breach Exposes Data for Millions of Canadian Customers
vpnMentor's research team has discovered a data breach related to Aliznet, a French consulting company in the retail sector.
The company provides consulting services to large companies around the world. Past clients of Aliznet include IBM, Salesforce, Sephora, Louboutin, Inwi, and Yves Rocher.
The most sensitive leaked data involves customers of Aliznet's client Yves Rocher, an international cosmetics and beauty brand.
Customers' full personally identifiable information (PII) were exposed, along with detailed records of their orders.
The data breach also exposed private internal records that could negatively impact Aliznet's client companies.
Led by Noam Rotem and Ran Locar, the vpnMentor research team found multiple vulnerabilities in Aliznet's systems that could possibly be exploited to expose even more data.
One serious vulnerability involves an unprotected API interface for an application that Aliznet appears to have created for its client company Yves Rocher.
Example of Entries in the Database
The data breach involves records from Aliznet's database that were exposed through an unprotected Elasticsearch server.
Our researchers were able to access multiple parts of the database, including:
Yves Rocher Customer Records
The leak included private information about more than 2.5 million customers of Aliznet's client company Yves Rocher. The affected customers were located in Canada.
We could view customers' personally identifiable information, including:
- First and last name
- Phone number
- Email address
- Date of birth
- Zipcode
The records also revealed something potentially sensitive called an FID number for each customer.
Several countries use the term "FID number" to refer to a private, unique number assigned to a person for international shipping or tax purposes.
In different situations, "FID number" can stand for "foreign identification number," "federal identification number," or "full import declaration." It also might just be a nonsensitive internal code used by the company.
We were unable to confirm what the number actually represents. Although it could be nothing, the possibilities are concerning.
The leaked customer records also tied each individual to a unique customer ID. By itself, this value is meaningless.
However, the customer IDs can be used to identify customers listed on Yves Rocher order records that were part of the data breach.
Yves Rocher Order Records
We were also able to view records of more than six million customer orders in the Aliznet database.
For each order, we were able to view the transaction amount, currency used, delivery date, and the location of the store where the order was placed.
You can see in the example above that the order was placed in Promenades St-Bruno, a shopping mall in Quebec, Canada. We were able to view the exact coordinates of each store location.
The order records also included the full name of the employee who processed each order, along with their employee ID.
Each order is also linked with a unique customer ID. Using the leaked Yves Rocher customer records, we were able to identify the individual who placed each order through their customer ID.
Internal Client Data
The leaked data included a variety of internal information related to Aliznet's client Yves Rocher, including:
- Statistics describing store traffic, turnover, and order volumes
- Product descriptions and ingredients for over 40,000 retail products
- Product prices and relevant offer codes
Other parts of the leaked database linked to Aliznet's corporate resources.
These included PDF files containing previous Aliznet job postings and client success stories, Aliznet employee profile portraits, website media, and other promotional materials.
Vulnerable API Interface
The research team discovered another serious vulnerability in the exposed Elasticsearch server. We were able to access the API interface for an application created by Aliznet for Yves Rocher.
The application seems to have been created to be used by Yves Rocher employees rather than customers.
After examining the interface, our researchers believe that it would be possible for someone to easily log in to the system using an employee ID exposed in the Aliznet leak.
The unsecured Yves Rocher app could likely provide hackers and other malicious actors with additional information about the company and its customers.
Most worrying, the app appears to be linked to databases containing customers' home addresses and purchase histories.
The API interface also gave us access to the API explorer. The research team believes that this API explorer could be used to add, delete, or modify data in the company database.
With the proper credentials, a competitor or other malicious party could use this tool to tamper with data related to customers, products, stores, and more.
Data Breach Impact
The leaked database contained information that could be harmful on multiple different levels. The biggest impacts will be felt by Aliznet, its client Yves Rocher, and the retail company's end customers.
Impact on End Customers
The data breach exposed full contact details for individual customers of Yves Rocher. Hackers, scammers, and advertisers can easily exploit this information.
With access to your address, email addresses, and phone number, malicious parties can create sophisticated phishing schemes and ransomware attacks.
Affected customers may begin to receive emails that appear to be legitimate, but that actually are embedded with malware or designed to trick them into sharing even more sensitive data.
Exposed phone numbers can become targets of unwanted text spam or dangerous phone scams. In some cases, hackers can even use leaked information to trick phone service providers into helping them hijack your cell phone number.
Once a malicious actor is in control of your cell phone number, they can use it to gain access to your other private accounts that are protected with two-factor authentication.
The data breach also exposed records of customer orders of Yves Rocher products. This can be dangerous. Banks and other financial institutions often ask questions about your recent purchases to confirm your identity.
A simple Google search with your name and location can bring up your social media accounts, your company website, and other webpages with additional information about your life.
Cybercriminals may be able to gather enough information to commit credit card fraud and identity theft. Identity theft can have very serious long-lasting consequences.
Impact on Yves Rocher
Competitors in the cosmetics and beauty industry may now have access to Yves Rocher's private resources and store statistics.
The data leak included the prices and promotional offers for a large number of Yves Rocher cosmetic and beauty products.
This information is a big asset to the company's competition. Competitors of Aliznet's clients could use the leaked data to estimate store sales, order volumes, and more.
The exposed database also provides competitors with a list of Yves Rocher's Canadian customers, complete with their name, age, contact information, and order histories.
Competing cosmetic and beauty companies could use this information to create highly effective advertising campaigns targeted at Yves Rocher customers. This could lead to Yves Rocher losing customers to competitors.
Impact on Aliznet
The implications of the Aliznet leak extend beyond the effect on individual customers. The data infringement affects Aliznet's clientele who have entrusted the company with the responsibility of safeguarding their confidential information.
One concern is that Aliznet may have other unsecured databases and applications that haven't been discovered yet. That means other clients of Aliznet may be at risk.
Aliznet could lose business because of this data breach. The company's competition may be able to take over accounts now that Aliznet may be facing trust issues with clients.
Aliznet offers professional services in IT strategy consulting and project management. The data breach may negatively impact Aliznet's credibility as an expert in the IT field.
Advice from the Experts
This data leak could have been easily prevented with some very basic security measures. At a minimum, you should always make sure to follow these security practices:
- Secure your servers
- Implement appropriate access rules
- Require authentication to access all systems
Leaving an unsecured system open to the internet is never a good idea, even if you don't think it contains sensitive information.
To learn more about protecting your company's online resources, read our in-depth guide on how to secure your website and online database from hackers.
How and Why We Discovered the Breach
We discovered this data leak as part of our large-scale web mapping project. Lead by security experts Ran and Noam, our research team scans ports to find known IP blocks.
After finding IP blocks, the team searches for vulnerabilities in the system that would indicate an open database.
Once the team encounters a vulnerability, they use their technical expertise to find out what data may be at risk and link the system back to the owner—in this case, Aliznet.
As ethical hackers and researchers, we do not sell, store, or expose the information we encounter. Each time a data leak is discovered, we contact the owner, describe the vulnerability, and suggest ways to make their system more secure.
Our goal is to improve the overall safety and security of the internet for everyone.
About Us and Previous Reports
vpnMentor is the world's largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users' data.
We recently discovered a breach in the adult site Luscious that exposed highly sensitive and private user data. We also revealed that a breach in Biostar 2 compromised the biometric data of over 1 million people.