Customers On Alert as E-Commerce Player Leaks 1.7+ Billion Records

A Brazilian e-commerce firm has unwittingly exposed close to 1.8 billion records, including customers’ and sellers’ personal information, after misconfiguring an Elasticsearch server, according to researchers.

A team at SafetyDetectives led by Anurag Sen made the discovery in June and quickly traced the leak back to Hariexpress — a firm that allows vendors to manage and automate their activity across multiple marketplaces, including Facebook and Amazon.

Although the firm replied to the researchers just four days after they alerted it to the leak in early July, it was subsequently uncontactable. Infosecurity can confirm that the issue has now been fixed.

The server was left unencrypted with no password protection in place. It contained 610GB of data, including customers’ full names, home and delivery addresses, phone numbers and billing details. Also exposed were sellers’ full names, email and business/home addresses, phone numbers and business/tax IDs (CNPJ/CPF).

SafetyDetectives could not confirm the total number of those affected due to the size of the trove and the potential for duplicate email addresses.

“A data breach of this magnitude could easily affect hundreds of thousands, if not millions of Brazilian Hariexpress users and e-commerce shoppers. Hariexpress’ leaked server’s content could also affect its own business,” it claimed.

“We cannot know whether unethical hackers have discovered Hariexpress’ unsecured Elasticsearch server. Users, couriers, consumers, and Hariexpress itself should understand the risks they could face from this data breach.”

These include phishing and social engineering attempts built around legitimate user and business details, tax rebate and returns scams using CPF information, and even theft of items from the homes of customers who ordered high-value goods.

There’s also a potential for digital extortion in cases where customers have bought potentially embarrassing items. The researchers highlighted one anonymous shopper who purchased a “penis pump,” for example.

Brazil’s data protection law, the Lei Geral de Proteção de Dados (LGPD), apparently gives regulators the power to fine companies a maximum of 2% of the previous year’s revenue for serious infractions, up to 50 million Brazilian reals ($10m).

What’s Hot on Infosecurity Magazine?