E-commerce firm admits customer records were left on public-facing ElasticSearch server
A multinational e-commerce company that sells baby and toddler products has admitted that its customers’ personal data was publicly exposed on an unsecured server for nearly two weeks.
In a security alert published today (September 16), Munich-based Windeln.de said that between June 10 and June 23 the “data of some of our customers were temporarily stored on an unprotected server due to a maintenance error”.
The retailer said that “only customers who logged on to our website via the app or a browser between May 24th and June 23rd, 2020 are affected.
“The server is used as a short-term cache, which automatically deletes the data no later than every four weeks.
The company has yet to “establish which individuals and how many customers are affected in total” by the data breach.
Trail of bits
The breach was discovered by researchers from antivirus review site Safety Detectives, who said a database on an exposed ElasticSearch production server contained more than six billion individual records.
Safety Detectives said they alerted CERT-Bund, Germany’s Computer Emergency Response Team, which in turn notified Windeln.de. The e-commerce company said it then promptly secured the server.
Launched in 2010, Windeln.de sells products in Germany, Austria, Switzerland, Spain, Portugal, France, and China through four e-commerce domains.
The publicly-listed parent company claims to serve around 700,000 customers and recently reported revenues of €43.7 million ($52 million) in the first half of 2020.
In a blog post published yesterday, researchers from Safety Detectives said the six-terabyte database included customers’ full names, email addresses, postal addresses, phone numbers, and IP addresses.
The breadth of information related to each user varied, “presumably because they did not specify all their personal information” when registering with the domain, according to Wilson.
“Crucially – and raising the level of risk created by the leak – several information records referred to children whose parents were using the site,” said Jim Wilson, an ethical hacker and author of the post.
“Records showed full names, dates of birth and gender information.”
The researcher added that “malicious hackers can exploit the strong bond between parent and child” by, for example, using a child’s date of birth to dupe parents with scams based on their upcoming birthday.
Windeln.de confirmed that “names, email addresses, postal addresses, telephone numbers and the order history of affected users, as well as, in some cases, the dates of birth and names of their children”, were exposed.
Researchers said that the France-based server also contained payment methods (without payment information), order invoices, Amazon OAuth API login tokens, authentication tokens, partial listings of hashed passwords, internal logs including employee details, and the newsletter subscription mailing list.
Both the researchers and Windeln.de said they have discovered no evidence that the data has been obtained and abused by malicious actors.
Although payment card and other sensitive financial data was not exposed, hackers could, armed with other personal data, convincingly impersonate representatives of the company and dupe customers into divulging such information, said Jim Wilson.
Attackers could also have leveraged back-end technical logs to gain deeper control of the unsecured server, to mount ransomware attacks for instance.
Windeln.de said it had launched an investigation into the incident.
"We very much regret this incident and apologize to all customers affected,” said Matthias Peuckert, CEO of Windeln.de SE.
“Now, our focus is on clarifying the details, learning from what has happened, and avoiding damage to our customers as far as possible.”
A spokesperson for Windeln.de told The Daily Swig they are informing customers “about the incident, including advice on how to prevent phishing attacks”.
The incident is the latest in a long line of unsecured ElasticSearch servers to be discovered, including news that emerged this week of the exposure of 320 million records associated with adult websites.
The Daily Swig has contacted the Safety Detectives for further comment.