Walmart Jewelry Partner Exposes Data of Millions of Customers

Unsecured Amazon S3 Bucket Claims Another Victim – This Time, Private Data of 1.3 Million Limogés Jewelry Customers Have Been Exposed.

Have you heard about MBM Company INC.? Probably you haven’t because not many are familiar with this name but you must be familiar with the brand name Limogés Jewelry. Limogés Jewelry is actually the jewelry brand of the Chicago, Il, based MBM Company Inc. The company sells jewelry for children men and women including pendants, earrings, necklaces, watches, engagement rings, and wedding rings.

1.3 Million Limogés Jewelry Customers exposed

MBM Company is an established name in the industry but currently, it is in news for all the wrong reasons. Reportedly, Germany-based security firm Kromtech Security researchers have discovered an unsecured Amazon S3 storage bucket containing an MSSQL database backup file. Kromtech’s security research team believes that MBM Company has been careless in handling customer data.

Initially, researchers suspected that the data was the property of Walmart because the storage bucket was named ‘walmartsql’ but later, after thoroughly analyzing the file, they came to the conclusion that it belonged to MBM Company Inc. They also identified that data from a number of retailers including Walmart was part of the database.

Plain text passwords exposed to public

Kromtech Security’s head of communications Bob Diachenko revealed that when the discovered file was further assessed, it was learned that it contained private and sensitive data belonging to more than 1.3 million people (1,314,193 to be precise).

The data included sensitive personal information like residential addresses, e-mail IDs, IP addresses and zip-codes along with plaintext passwords of such a massive number of people. That’s not all; the file also contains internal mailing lists, item orders, and promo codes. Diachenko referred to this as “great negligence” on part of MBM Company Inc.

Walmart Jewelry Partner Exposes Data of Millions of Customers
Screenshot of the exposed data (Credit: Krometech)

“Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts,” a statement from Diachenko read.

The discovered backup file was titled ‘MBMWEB_backup_2018_01_13_003008_2864410.bak;’ researchers have confirmed that it was created on January 13, 2018. The database contains information about the company’s customers within the US and Canada and the file contain updated information, which means the data is current. Customer records from the year 2000 are also part of the database whereas most recent records are from early 2018. Experts are of the opinion that this might be the primary database used by MBM Company.

Diachenko claims that considering the severity of this incident, it can be termed as a serious issue. Various factors cumulatively hint upon the fact that MBM Company adopted insufficient security practices. Such as, the bucket name was quite “easy-to-guess” and had a common suffix’ S3 domain name, which anyone could have identified using one of the countless scanning tools available on the internet.

Furthermore, the presence of plaintext passwords is also an issue of “great concern,” stated Diachenko as mostly users re-use the same passwords for accessing multiple accounts including email.

Currently, it is not clear if the database has been accessed by any malicious third-party since researchers did not observe ransom notes. Previously when MongoDB databases were exposed, ransom notes appeared on a regular basis, but this is not the case in this incident. But, solely on this basis, it is difficult to claim that nobody has accessed the database, said Diachenko.

Insecure Amazon S3 buckets have already victimized a number of mainstream firms despite that it is fairly easy to properly authenticate the bucket. MBM Company isn’t the first one to have failed to protect customer database but FedEx, Alteryx, City of Chicago and RNC contractor Deep Root all have been affected due to their lackluster security measures.

Security experts opine that prior to using this technology, companies must familiarize themselves with the basics of security. That’s because having a storage bucket that is exposed to public access while containing such sensitive personal data as email IDs and passwords after so many incidents involving Amazon S3 buckets is downright negligence.

It is also very careless of MBM Company to store private data of customers directly on a storage bucket with passwords in plain text format without encryption.

Diachenko recommends that firms must store passwords in encrypted form and force customers to keep complex passwords with at least one upper case letter, one lower case letter, one symbol, and one numeric digit and password should be up to 12 characters long.

Kromtech Security researchers notified Walmart about the publicly available Amazon S3 bucket and the retail giant immediately secured the bucket. As of now, MBM Company hasn’t released any statement.

Previous Amazon S3 Bucket Data Leaks

Lately, there have been a number of incidents in which millions of customers had their personal and sensitive data exposed due to public unsecured Amazon S3 buckets. Here is a list of some of the incidents:

100GB of Classified NSA Data
14 Million Verizon Customer Records
Massive Trove of Sensitive ‘Accenture’ Data
Gigabyte worth of Viacom data and configuration files
Medical Records and Sensitive Data of 150,000 US Patients
Sensitive Data of 123 Million American Households Exposed 
119,000 FedEx users passports, security ID & driving licenses
Over Half a Million US Vehicle Records from SVR Tracking Data
Tesla Amazon Cloud Server Exposed to Mine Monero Cryptocurrency
400GB worth US Military’s Social Media Spying Campaign Related Data

Source: Mackeeper/Krometech | Image credit: DepositPhotos

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.