"Technical information relating to Avon’s web and mobile sites was inadvertently left exposed on an unsecured Microsoft Azure server.
Avon, the cosmetics brand that suffered an alleged ransomware attack in June 2020, has found itself at the centre of a new and significant security incident after inadvertently leaving a Microsoft Azure server exposed to the public internet without password protection or encryption.
According to SafetyDetectives, the leaky server contained API logs for Avon’s web and mobile sites, which means that all production server information, including 40,000 security tokens and internal OAuth tokens, was exposed.
OAuth, an open standard authorization framework for online token-based authorization, enables end-user account information to be used by a third-party service such as Facebook or Twitter without exposing their credentials to it. Effectively, it acts as a go-between."