September 1, 2021 • RBS

Categories: Security News

A threat actor on a prominent hacker forum is claiming responsibility for the breach and subsequent leak of sensitive information from cosmetics maker Oriflame. The alleged scope of compromised data includes 4 TB of information, including more than 13 million files and 4 million identity verification documents, as well as credit card and personal information of distributors and customers from 44 different countries.

Oriflame, originally established in Sweden and now headquartered in Switzerland, focuses on the development and distribution of beauty products. A cosmetics giant, the organization has 57 offices globally and reported over €1.1 billion in sales in 2020.

Similar to Mary Kay cosmetics and Amway, the corporation functions as a multi-level marketing company, where current distributors are encouraged to recruit new sellers. This business model explains why Oriflame collects a vast number of international verification documents from individuals located around the world.

The Data

On August 5th, 2021 a threat actor shared the first part of the compromised data on a popular hacker forum. The leak contained more than 25,000 identity verification documents from the country of Georgia, with unredacted scans of identity cards made available as evidence of the validity of the stolen data.

Below the shared documents, the threat actor posted a message providing more information:

“Total: 4 TB, 13399323+ files, over 4 million verification docs, excluding global DB and site sources. Credit card information will not be leaked or sold!

If you would like to purchase the other parts and prevent leaks contact me reply which country you would like to see next!
China has over 300k docs, Russia over 800k!

The price of the data was not provided, or the breakdown of identity verification documents per country. It appears that the stolen credit card information will remain private, likely to be exploited by the threat actor or sold on to other threat actors.

Later on the same day, August 5th, 2021, the threat actor shared the second part of the compromised data; 773,504 files from Kazakhstan. Like the first installment of data, the sample  included an uncensored passport scan.

Then on August 6th, 2021 a third installment of data was leaked, this time containing 426,074 files from China, and finally on August 11th, 2021 part four was made available with 3,278,901 files from India released. It is unclear how many of the files are strictly verification documents.More recently, on August 22nd 2021 a fifth installment was leaked with more than 1.5 million files and 700 GBs of data from Russia. Russian authorities announced on August 24th that the relevant government agency, Roskomandzor, is seeking an explanation of the events from Oriflame. They stated that, “At present, the stolen database of Oriflame clients had been detected on three Internet resources. Two of them have been blocked and the third deleted the link to the base.

The threat actor also provided a list of countries whose citizens were affected in the breach. The list, in the form of two-letter abbreviations, includes 44 different countries with most of them appearing to be in Asia or Eastern Europe.

While the total number of affected customers is unknown, the claim of 4 million compromised identity verification documents is particularly alarming. Given the samples provided, the exposed data at the very least includes: names, places of birth, dates of birth, addresses, genders, identification document numbers, and face pictures. A perfect combination for perpetrating identity theft on a very large scale.

Customers’ affected by the incident are at a substantial risk for identity theft as well. While credit card data has not been shown or proven to be stolen so far, it may be linked to those customers who also provided verification in order to become an Oriflame distributor. If credit card information is paired with the stolen verification documents, affected customers are at an extreme risk of financial fraud, account takeovers, spearphishing or harassment and a number of other threats.

Oriflame Confirms Breach

On August 6th, 2021, a day after the threat actor shared the first installment of data, Oriflame released a statement regarding the incident. The organization stated that they suffered cyber-attacks that resulted in unauthorized access to personal data.

The timing of the press release aligns with the posts on the forums where the data was leaked, as well as the targeted geographic locations, which provides validity to the hacker’s claims.

Very little information about the incident itself or Oriflame’s response was included with the company’s statement. Commonly shared information such as how many customers were affected, what type of data was compromised, or when the incident occurred was not disclosed.

Screenshot of Oriflame’s Press Release on the Cyber Attack

Oriflame did promise that further information would be provided in their interim report on August 25th, 2021. If the company first became aware of the incident shortly after the threat actor released the first batch of files, it does make sense they would need more time to investigate and determine more precisely what actually happened.

Unfortunately the August 25th interim report contained little information. The company merely added that “a vulnerability of an external software component” was exploited to gain access to web servers “for a few days.”

Ongoing Incident

Clearly it will take more time for the true extent and nature of the breach to be understood.

The threat actor previously stated that they will release the files from Russia next, but they have not done so as of this posting. There have been no leaks or updates provided since the previous partial data leak of documents from Russia on August 22nd.

A buyer may have purchased the data to stop the data leaks, or we may see more verification documents in the future. Risk Based Security continues to monitor the situation and will provide updates accordingly.

UPDATE: Although originally posted for sale, in early September the full 4TB database was leaked in entirety to a different hacking forum.

Our products
The Platform
Risk Based Intelligence
Learn more
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more