Cosmetics firm Avon to cut about 2,500 jobs and move headquarters to UK
Cosmetics firm Avon allegedly left over 600,000 customers records exposed Reuters

Security researchers have revealed that global cosmetics firm Avon left a database containing 4.2GB-worth of data exposed to the internet without password protection "for months" last year – putting over 620,000 Brazil-based records at risk of being stolen by cybercriminals.

The discovery was made in May 2016 yet remained undisclosed until this week (11 April) as researchers from MacKeeper's Security Research Centre failed to make contact with the beauty product company. The cybersecurity experts said all contact was "completely ignored."

As such, the database was left publicly exposed for months, with "thousands" of emails, addresses, phone numbers and website passwords publicly accessible to anyone who knew where to look, said MacKeeper security researcher Chris Vickery.

At the time of writing, it remains unclear if Avon's Brazil operation notified any of the 629,295 customers potentially affected by the incident.

IBTimes UK contacted Avon for clarification however had not received a response at the time of publication.

Vickery said the database ultimately went offline earlier this year, around the same time as a slew of ransomware attacks were hitting publicly available "MongoDB" databases. As reported, in January 2017 hackers were infecting unprotected data and demanding Bitcoin for its safe return.

At one point, two security experts, Victor Gevers and Niall Merrigan, said the scheme had hit nearly 30,000 separate databases – often left connected to the web without passwords.

In most cases, the hackers wanted between 0.2 Btc (£150) and 1 Btc (£752) in ransom.

MacKeeper's security team believe that Avon's Brazilian data was likely hit during this spate of ransomware attacks. If true, the cybercriminals potentially had access to thousands of credit card numbers, scanned ID cards, IP addresses and much more, Vickery warned.

"Having weak security or a misconfigured database is bad enough, but ignoring multiple notices with screenshots and other proof is irresponsible and risking customer data," he added. Upon analysis, the breach did not appear to affect Avon's UK customers or any other country.

Despite being a household name, Avon has run into some financial woes in recent years – yet Brazil remains its top market. In March 2016, the BBC reported the firm moved its headquarters to the UK and cut more than 2,000 jobs worldwide as part of a "turnaround" strategy.