• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • February 28th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Hacking News
Leaks

Walmart Jewelry Partner Exposes Data of Millions of Customers

March 15th, 2018 Waqas Security, Leaks, Privacy 0 comments
Walmart Jewelry Partner Exposes Data of Millions of Customers
Share on FacebookShare on Twitter

Unsecured Amazon S3 Bucket Claims Another Victim – This Time, Private Data of 1.3 Million Limogés Jewelry Customers Have Been Exposed.

Have you heard about MBM Company INC.? Probably you haven’t because not many are familiar with this name but you must be familiar with the brand name Limogés Jewelry. Limogés Jewelry is actually the jewelry brand of the Chicago, Il, based MBM Company Inc. The company sells jewelry for children men and women including pendants, earrings, necklaces, watches, engagement rings, and wedding rings.

1.3 Million Limogés Jewelry Customers exposed

MBM Company is an established name in the industry but currently, it is in news for all the wrong reasons. Reportedly, Germany-based security firm Kromtech Security researchers have discovered an unsecured Amazon S3 storage bucket containing an MSSQL database backup file. Kromtech’s security research team believes that MBM Company has been careless in handling customer data.

Initially, researchers suspected that the data was the property of Walmart because the storage bucket was named ‘walmartsql’ but later, after thoroughly analyzing the file, they came to the conclusion that it belonged to MBM Company Inc. They also identified that data from a number of retailers including Walmart was part of the database.

Plain text passwords exposed to public

Kromtech Security’s head of communications Bob Diachenko revealed that when the discovered file was further assessed, it was learned that it contained private and sensitive data belonging to more than 1.3 million people (1,314,193 to be precise).

The data included sensitive personal information like residential addresses, e-mail IDs, IP addresses and zip-codes along with plaintext passwords of such a massive number of people. That’s not all; the file also contains internal mailing lists, item orders, and promo codes. Diachenko referred to this as “great negligence” on part of MBM Company Inc.

Walmart Jewelry Partner Exposes Data of Millions of Customers

Screenshot of the exposed data (Credit: Krometech)

“Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts,” a statement from Diachenko read.

The discovered backup file was titled ‘MBMWEB_backup_2018_01_13_003008_2864410.bak;’ researchers have confirmed that it was created on January 13, 2018. The database contains information about the company’s customers within the US and Canada and the file contain updated information, which means the data is current. Customer records from the year 2000 are also part of the database whereas most recent records are from early 2018. Experts are of the opinion that this might be the primary database used by MBM Company.

Diachenko claims that considering the severity of this incident, it can be termed as a serious issue. Various factors cumulatively hint upon the fact that MBM Company adopted insufficient security practices. Such as, the bucket name was quite “easy-to-guess” and had a common suffix’ S3 domain name, which anyone could have identified using one of the countless scanning tools available on the internet.

Furthermore, the presence of plaintext passwords is also an issue of “great concern,” stated Diachenko as mostly users re-use the same passwords for accessing multiple accounts including email.

Currently, it is not clear if the database has been accessed by any malicious third-party since researchers did not observe ransom notes. Previously when MongoDB databases were exposed, ransom notes appeared on a regular basis, but this is not the case in this incident. But, solely on this basis, it is difficult to claim that nobody has accessed the database, said Diachenko.

Insecure Amazon S3 buckets have already victimized a number of mainstream firms despite that it is fairly easy to properly authenticate the bucket. MBM Company isn’t the first one to have failed to protect customer database but FedEx, Alteryx, City of Chicago and RNC contractor Deep Root all have been affected due to their lackluster security measures.

Security experts opine that prior to using this technology, companies must familiarize themselves with the basics of security. That’s because having a storage bucket that is exposed to public access while containing such sensitive personal data as email IDs and passwords after so many incidents involving Amazon S3 buckets is downright negligence.

It is also very careless of MBM Company to store private data of customers directly on a storage bucket with passwords in plain text format without encryption.

Diachenko recommends that firms must store passwords in encrypted form and force customers to keep complex passwords with at least one upper case letter, one lower case letter, one symbol, and one numeric digit and password should be up to 12 characters long.

Kromtech Security researchers notified Walmart about the publicly available Amazon S3 bucket and the retail giant immediately secured the bucket. As of now, MBM Company hasn’t released any statement.

Previous Amazon S3 Bucket Data Leaks

Lately, there have been a number of incidents in which millions of customers had their personal and sensitive data exposed due to public unsecured Amazon S3 buckets. Here is a list of some of the incidents:

100GB of Classified NSA Data
14 Million Verizon Customer Records
Massive Trove of Sensitive ‘Accenture’ Data
Gigabyte worth of Viacom data and configuration files
Medical Records and Sensitive Data of 150,000 US Patients
Sensitive Data of 123 Million American Households Exposed 
119,000 FedEx users passports, security ID & driving licenses
Over Half a Million US Vehicle Records from SVR Tracking Data
Tesla Amazon Cloud Server Exposed to Mine Monero Cryptocurrency
400GB worth US Military’s Social Media Spying Campaign Related Data

Source: Mackeeper/Krometech | Image credit: DepositPhotos

  • Tags
  • Amazon
  • AWS
  • internet
  • Jewelry
  • LEAKS
  • Privacy
  • security
  • Vulnerability
  • Walmart
Facebook Twitter LinkedIn Pinterest
Previous article Fortnite accounts are being hacked to make fraudulent purchases
Next article Smart home devices can be hacked within minutes through Google search
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Microsoft release open-source CodeQL queries to hunt SolarWinds hacks

Microsoft release open-source CodeQL queries to hunt SolarWinds hacks

Hackers using malicious Firefox extension to phish Gmail credentials

Hackers using malicious Firefox extension to phish Gmail credentials

Botnet Abusing Bitcoin Blockchain To Evade Detection

Botnet Abusing Bitcoin Blockchain To Evade Detection

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Microsoft release open-source CodeQL queries to hunt SolarWinds hacks
Microsoft

Microsoft release open-source CodeQL queries to hunt SolarWinds hacks

Hackers using malicious Firefox extension to phish Gmail credentials
Security

Hackers using malicious Firefox extension to phish Gmail credentials

Apple Glass may feature 3D Audio and Self-Cleaning in new patent
Technology News

Apple Glass may feature 3D Audio and Self-Cleaning in new patent

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us