CRU3LTY ransom attack: 2 million Tarte Cosmetics’ users’ exposure

by Gabriel E. Hall - -

Well-known cruelty-free cosmetics brand Tarte, distributed online and at beauty retailers such as Sephora, has misconfigured its two databases. The misconfiguration led to the PII exposure of about 2 million clients to cybercriminals called CRU3LTY.

cru3lty ransomware

The CRU3LTY group focuses on unsecured databases, lifting information, locking victim’s files and demanding a ransom in order to return the missing data.

Kromtech security firm, found the unsecured databases and a warning file which was left by the CRU3LTY group, demanded 0.2 bitcoins.

Even though the data was still there, the cybercriminals were likely to keep a copy. The data included Tarte’s customers who shopped at their online store from 2008 to 2017, names, mailing addresses, email addresses and last four digits of their credit cards.

This information provides great opportunities for phishing attacks and scams.

According to Bob Diachenko, a Security Communications Officer at Kromtech:[1]

In this instance, they would already have the last 4 digits of the credit card on file and with 2 million customers they would have all of the personal information needed to trick them into believing they are confirming their credit card with a company they trust. It appears that criminals have already accessed the customer data. With all of the other data leaks online it is possible that criminals could even cross-reference this data against other breaches and get the customer’s full card number or more information. Ransomware alone could be devastating to a company large or small if they do not have their data backed up or a security plan in place.

So how did it happen? Possibly the administrators at Tarte’s website have selected a public security setting instead of a private one at the MongoDB databases. The Shodan IoT search engine, used by cybercriminals to look for vulnerabilities, indexed the misconfiguration and the data from Tarte’s have been exposed to CRU3LTY.[2]

In addition, Zohar Alon, co-founder, and CEO at Dome 9 added: “Weak security practices can be the difference between putting your customers and their data at risk, and utilizing the immense benefits of the public cloud without any ramifications. “As we’ve seen recently, any size security gap in the public cloud is a big one. IT must perform regular checks and balances of cloud environments so malicious attackers cannot take advantage of simple misconfigurations. There are a number of native and third-party tools available that can solve these rampant misconfiguration errors. As companies continue to expand and leverage the agility and ease of use of the public cloud, they must put basic but crucial security practices first and be held accountable for lapses.”

Tarte cosmetics reported at InfoSecurity Magazine that:[3]

At Tarte, keeping customer information fully secure is our No. 1 priority. We are aware of this potential issue, which we are actively investigating. At the same time, we are taking every measure available to ensure the highest level of protection for all corporate data, and we will keep our customers and partners informed as necessary.


About the author

Gabriel E. Hall
Gabriel E. Hall - Antivirus software specialist

Gabriel E. Hall is an antivirus software specialist at

Contact Gabriel E. Hall
About the company Esolutions


now online
Like us on Facebook