Tarte Cosmetics

The Kromtech Security Center discovered that Tarte Cosmetics exposed the personal information of two million customers that was stored in two unsecured online databases. These databases were publicly accessible and included customer names, email addresses, mailing addresses, and the last four digits of credit card numbers of customers who placed orders through Tarte Cosmetics’ website between 2008 and 2017. It is believed that Tarte managed its customer information using MongoDB, an open-source database platform. The exposed databases were taken offline after the company was notified. In January of this year and again in September, the NJCCIC released alerts warning members about cyber extortion campaigns that were actively targeting vulnerable MongoDB servers. We recommend that administrators of MongoDB servers review our previous NJCCIC Cyber Alert, audit their security settings, and implement the mitigation strategies provided as soon as possible. We also recommend that customers of Tarte Cosmetics monitor their financial accounts and report any fraudulent activity to their financial institutions.