Kids luxury clothing store Melijoe exposed 200GB of customers’ data

Melijoe was contacted about the exposed data but it did not respond to researchers and kept sensitive information of 200,000 customers including children open to public access without any security authentication.

AParis, France-based popular online luxury clothing e-Commerce website for kids was caught exposing the personal and sensitive data of its customers worldwide, especially children.

The company in discussion is Melijoe, which according to researchers at SafetyDetectives exposed a whopping 200 GB of data containing almost 2 million files, thanks to one of its misconfigured Amazon S3 buckets.

What’s worse is that the bucket was left exposed to public access without any password or security authentication meaning anyone with knowledge of how to find misconfigured databases could have accessed the data.

It is worth noting that in 2020, Melijoe was acquired by The Babyshop Group, a Swedish premium children’s e-commerce group.

SafetyDetectives identified three datasets that contained records on its customers’ purchases, preferences, and wishlists. Further analysis of these datasets revealed sensitive information such as the following:

  1. Gender
  2. Date of birth
  3. Phone numbers
  4. Email addresses
  5. Billing addresses
  6. Payment methods
  7. Full names of children
  8. Preferences of brands
  9. Delivery information (delivery addresses and delivery dates)

And the list goes on…

Screenshot from customers’ wishlists (Image: SafetyDetectives)

The information exposed in the incident was uploaded on the misconfigured Melijoe bucket between October 2016 and November 8th, 2021.

Who cares for children’s data? Not Melijoe!

In its blog post published Feb 21st, 2022, SafetyDetectives revealed that its cybersecurity team informed Melijoe about the incident on November 12th, 2021 however it did not receive any response from the company.

As a result, on November 25th, 2021, the researchers contacted AWS and the French Computer Emergency Response Team (CERT) but only received a response from French CERT on December 15th, 2021.

Initially, French CERT confirmed that it will inform Melijoe, however, a month later the agency revealed that the shopping site did not respond to its alert which is also a clear violation of General Data Protection Regulation (GDPR).

On January 5th, 2022, SafetyDetectives contacted Commission Nationale de l’informatique et des libertés (CNIL), an independent French administrative regulatory body that handles data, privacy, storage, and use of personal data related issues in the country.

On January 10th, 2022, CNIL confirmed that authorities are handling the issue. Yet the bucket remained exposed for a month and only got secured on February 18th, 2022.


It is yet unclear whether the database was accessed by a third party with malicious intent such as ransomware gangs or crooks who sell databases. But in case it did, it would be devastating for customers.

Additionally, threat actors can use the exposed data for identity theft to make fake IDs based on legitimate information and carry out phishing or malspam attack against unsuspected individuals. Hence, possibilities are endless.

If you shop at Melijoe, it is the right time to contact the company and inquire about the breach and their delayed response in securing your financial data and sensitive information about your children.

More data exposed news on

  1. Logistics giant D.W. Morgan exposed 100 GB worth of clients’ data
  2. Database mess up leaks 882 GB of ecommerce & dating sites data
  3. Misconfigured AWS bucket exposed 421GB of Artwork Archive data
  4. German audio tech giant Sennheiser exposed 55GB of customers’ data
  5. 845GB of sensitive explicit data on niche dating apps users exposed online
Related Posts