Yet another massive data leak, exposing millions of people's personal information has come to light. Tarte Cosmetics, considered to be a cult favourite beauty brand, freely exposed nearly two million customers' personal data to the public via two unsecured databases.

New York-based Tarte's cruelty-free cosmetic products are sold at major stores including Sephora and Macy's Ulta. The company also offers customers in countries where the products aren't available in stores, the option of shopping online. The data accidentally leaked affected Tarte's online customers. Sensitive data of both US and international customers, who shopped online between 2008 and 2017, was left publicly exposed via two unsecured MongoDB databases.

The data exposed included customers' names, addresses, emails, purchase history and the last four digits of credit card numbers. According to Kromtech researcher Bob Diachenko, Kromtech uncovered the breach on 18 October and sent Tarte several security alerts. Although the firm refrained from responding to Kromtech, on 20 October, all databases linked to the firm were secured.

The two MongoDB databases that contained Tarte's customers' data were "set up without the proper security measures" with the security settings switched to "public" instead of "private", which in turn left the data freely available online.

"It feels more and more like consumers are gambling with their data with every purchase. Almost every week there seems to be another massive data leak, hack, or security breach that exposes customer data," Diachenko said in a blog.

Cru3lty accessed exposed data

Kromtech security researchers may not have been the only ones to stumble across the trove of data. Diachenko said the exposed data was also accessed by the prolific ransomware gang Cru3lty. The hackers "left their standard ransom note inside the database demanding 0.2 Bitcoins for recovering the database once the data has been deleted or encrypted".

Security researchers spotted Cru3lty hijacking over 20,000 vulnerable MongoDB servers earlier in the year. The hackers' usual modus operandi is to wipe data and demand a ransom in exchange for returning the data. However, in this case, the Tarte data appears to be still intact.

It remains unclear whether the hackers have contacted Tarte to up the ransom. It is also unclear as to how long the data was left exposed before it was secured. IBTimes UK has reached out to Tarte Cosmetics for further clarity on the matter and is awaiting a response.

"At Tarte, keeping customer information fully secure is our No 1 priority. We are aware of this potential issue, which we are actively investigating," James Novara, Tarte's VP of e-commerce & IT, said in a statement, Gizmodo reported. "At the same time, we are taking every measure available to ensure the highest level of protection for all corporate data, and we will keep our customers and partners informed as necessary."

"Cyber criminals in the past have used leaked information to reach out to customers with phishing emails and see who replies," Diachenko added. "In this instance they would already have the last 4 digits of the credit card on file and with 2 million customers they would have all of the personal information needed to trick them into believing they are confirming their credit card with a company they trust. It appears that criminals have already accessed the customer data. With all of the other data leaks online it is possible that criminals could even cross reference this data against other breaches and get the customer's full card number or more information. Ransomware alone could be devastating to a company large or small if they do not have their data backed up or a security plan in place."