In September, Tarte Cosmetics experienced a "glitch" with its automated email service that sent thousands of shipping notifications to the incorrect people. In the process, a slew of online customers' full names, home addresses, and phone numbers were leaked.
Tarte claimed the incident was not due to a security breach, and that only 1,400 orders were affected. It's barely one month later, and it seems that things have already escalated — and it's way worse for Tarte's online customers this time around.
A software security research center discovered that Tarte's database exposed around 2 million customers' personal information to... well, whoever wanted to access it.
"What immediately drew our attention was the fact that it was unprotected, available for anybody to view and even edit," said Bob Diachenko, Kromtech's chief security communications officer. "[The type of database Tarte uses] has been one of the most targeted databases since the end of last year — thousands of unprotected instances have been hijacked by several ransomeware groups."
Kromtech alerted Tarte of the issue via email and LinkedIn on October 19, one day following its discovery of the base.
According to Diachenko, Tarte responded and secured its databases around a day later.
The brand's unprotected, public database contained the names, emails, phone numbers, and home addresses of customers who made purchases on its website from 2008 til 2017.
Most alarmingly, the database contained the purchasing histories and the last four digits of approximately 1,891,928 customers' credit cards.
It also allegedly contained a note from CRU3LTY, a group that typically "steals" information from databases for ransom.
The information on Tarte's database was never wiped, but a note from CRU3LTY did request .2 bitcoins for the information. That's the equivalent of just over $1,000, which is not a lot of money in this context.
"We don't know much about this specific group, but my assumption is that they have a scanning script in place that automatically wipes and inserts ransom notes into unprotected databases," Diachenko said.
But according to Diachenko, that group shouldn't be Tarte customers' top concern — it's independent hackers.
"There are big chances that in this particular instance, somebody else with malicious intents saw the content of the database — taking into account the nature of [Tarte's previous] email spread a couple of weeks before we spotted it — and planned this phishing attack."
Tarte said that it's currently "actively investigating" the extent of the damage.
"At Tarte, keeping customer information fully secure is our No. 1 priority," James Novara, Tarte's vice president of e-commerce, said in a statement to Gizmodo Australia. "We are aware of this potential issue, which we are actively investigating. At the same time, we are taking every measure available to ensure the highest level of protection for all corporate data, and we will keep our customers and partners informed as necessary."
Revelist has reached out to Tarte's IT team to comment on what measures Tarte has taken to notify its customers and has yet to hear back.
Long story short, if you've bought items directly from Tarte's website in the last 10 years, Diachenko is saying be wary of the emails you receive.
According to security experts, it'd be fairly easy for someone to take Tarte's customer information and "phish" for more data. That basically means an ill-intended person with your email and last four credit card digits could send you a very convincing email from a fake Tarte account asking you to "confirm" your credit card information.
If you receive emails from Tarte containing links or requests for any of your personal information, act with caution.
One more word of advice from Diachenko? Don't re-use your passwords.
It could save more than just your emails.
Want more? Visit our Eyeliner Addict Facebook page and like us for more breaking beauty news!