Cyber Incident Victim: Tarte Cosmetics

In October 2017, Tarte Cosmetics exposed sensitive customer data through two unsecured MongoDB databases, impacting nearly two million online shoppers. The New York-based beauty brand, sold through retailers like Sephora and Ulta, left databases publicly accessible due to misconfigured security settings set to "public" instead of "private." This allowed unrestricted access to records spanning online purchases from 2008 to 2017, affecting both US and international customers. Exposed information included full names, physical addresses, email addresses, purchase histories, and the last four digits of credit card numbers. Kromtech Security researcher Bob Diachenko identified the breach on October 18, 2017, and immediately notified Tarte through multiple security alerts. The company did not formally acknowledge Kromtech’s communications but secured all affected databases by October 20, 2017. During the exposure window, the hacking group Cru3lty accessed and exfiltrated the customer data.

The incident represented a significant exposure of personal and financial information, with researchers emphasizing the recurring pattern of consumer data vulnerabilities in e-commerce systems. Kromtech’s analysis confirmed the databases lacked fundamental security protocols, leaving them openly discoverable online without authentication safeguards. While Tarte implemented corrective measures to restrict database access within 48 hours of notification, the company did not publicly disclose whether impacted customers received direct breach notifications or mitigation support. The compromised data types created risks of identity theft, phishing campaigns, and financial fraud targeting affected individuals. No additional technical details regarding the duration of exposure prior to discovery or post-incident forensic findings were disclosed in available reports.