A misconfigured Elasticsearch server belonging to a popular office supplies store chain was found leaking nearly one million records including customers’ personal information, it has emerged.
The non-password protected database was discovered by a Website Planet team led by Jeremiah Fowler on March 3. They quickly traced it back to Office Depot Europe, which operates across the region with bricks-and-mortar stores and online under the Office Depot and Viking brands.
Among the 974,000 unencrypted records found in the database were customer names, phone numbers, home and office addresses, @members.ebay addresses, marketplace logs, order histories and hashed passwords.
Fowler warned that such data could have been used by cyber-criminals to perform convincing phishing attacks.
“Let’s hypothetically say a criminal calls the customer and they validate the recent order. Next the criminal says something is wrong with your billing information, can you please provide me with the credit card number used for your purchase?” he explained.
“The customer would have no reason to doubt this because the caller can validate real details that only the retailer would know. This is how a social engineering attack works and it is one of the most common forms of fraud used today.”
Although Office Depot Europe secured the database within hours of notification, thanking the researchers for bringing it to their attention, Fowler claimed it may have been exposed for up to 10 days.
This would have put it at risk not only from data-hunting fraudsters but automated ransomware scripts and other tools which scour the internet for misconfigured databases like this.
Alongside the customer information was data on middleware, IP addresses, ports, pathways and storage systems used by the organization which Fowler said could have been exploited to target the Office Depot corporate network.