The database was hosted on a misconfigured Elasticsearch server.
Database leaks have become a common occurrence now with a breach happening almost every day. In the latest, researchers from vpnMentor have reported on a new database leak discovered on June 28, 2020, due to a misconfigured Elasticsearch server.
The researchers attributed the database to BrandBQ, a Polish online fashion retail company that also happens to have physical outlets. With over 500,000 downloads alone on Android coupled with its iOS installations, the number of users impacted is immense, estimated to be up to 6.7 million people.
These users are located mainly in 7 Eastern European countries such as Poland, Romania, Hungary, Bulgaria, Slovakia, and the Czech Republic.
The data exposed amounts to over 1 TB numbering 1 billion records and includes a range of personally identifiable information(PII) of the company’s customers such as full names, email addresses, phone numbers, and payment details without card numbers.
But this is not all, confidential details of its local contractors have also been revealed which go above and beyond the previously mentioned PII and additionally include VAT numbers, payment methods, names of the package receivers, and purchase information that is connected to orders.
On the other hand, contrary to usual cases, another layer of data was also leaked here with 49 million entries. This involved details about how the company’s database is structured and how it responds to scenarios like system errors and blacklisted emails – all of which could be used by future attackers to their advantage.
The incident should not come as a surprise since Elasticsearch servers have a long history of exposing data online. Furthermore, misconfigured databases have exposed billions of sensitive records in the last couple of years.
Adding further detail, vpnMentor stated in their blog post that,
In addition to BrandBQ’s proprietary websites, the database also contained logs of API calls from Answear’s mobile app on iOS and Android. These revealed any actions taken by a user on the app, along with their PII data.
To conclude, the researchers as with standard practice reached out to the parent company’s brands – Answear and WearMedicine who they believed had been impacted by this.
As a result, it was acknowledged by the parent BrandBQ and later a patch was issued on August 20, just under a month later, which means the database is secure now.
Regardless of this, all users are advised to change their passwords and be on the lookout for phishing & other forms of social engineering attacks which could occur as a consequence.
Moreover, BrandBQ on its own also needs to be vigilant about the fact that the exposed data could be used to the advantage of its competitors, especially in the data-intensive world we live in today.
Hence, to counter such a strategy should be in the works for them along with adequately training employees on best security practices.