US supermarket giant Wegmans exposed sensitive data

It took Wegmans a month to respond and secure its data after the Website Planet security team’s responsible disclosure.

It took Wegmans a month to respond and secure its data after the Website Planet Security Team’s alerted the company about the issue.

In recent news, Wegmans Food Markets, Inc., a private US supermarket chain with 106 stores across the country, exposed sensitive credentials and through a misconfigured Microsoft Azure Blob Storage Server. 

The total size of the data exposed was 626 MB and although the total number of records is unknown, it is known that they contained sensitive files with the following types of data:

  • Backend secrets
  • Access keys
  • AES decryption keys
  • Whitelisted IPs
  • Deployed files

It is worth noting that backend secrets exposed numerous examples of confidential company information and passwords to company accounts while access keys exposed keys that granted entry to several other servers as well as Wegmans’ SQL database.

Furthermore, exposing AES decryption keys would allow third parties including threat actors to unencrypt other files while exposing deployed files could provide further information about Wegmans’ website.

The server was live at the time of discovery, suggesting the content of the server is current and relevant to Wegmans’ business operations today, Website Planet Security Team wrote in their report.

Considering the fact that the exposed data could give hackers access to Wagmans’ primary SQL database, this leak could potentially affect a large number of people from the customer base but as of right now, it has only affected Wegmans and its business operations. 

US supermarket giant Wegmans caught exposing sensitive data
1: Access keys, 2: AES decryption keys, 3: Passwords in ‘backend secrets.’ Image: Website Planet

The Website Planet security team sent a responsible disclosure to Wegmans on March 10th, 2021 after they discovered the unsecured Azure Blob Storage Server but they did not receive any reply even after several follow-ups.

However, on April 13th, weeks after exposing its server, the company finally responded to the disclosure yet it wasn’t until April 19th that the data was finally secured. It remains unclear if the data was accessed by a third party with malicious intent.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts