Around 1.75 billion sensitive files were leaked by a Brazilian e-commerce integrator that provides services to some of the country’s largest online shopping websites.
Hariexpress is headquartered in São Paulo and integrates multiple processes into a single platform to improve the efficiency and operational capability of retailers with more than one e-commerce store. Some of the company’s clients include Magazine Luiza, Mercado Livre, Amazon and B2W Digital. The national postal service, Correios, is also among the company’s partners and was also impacted by the incident.
A huge security breach traced back to an unsecured IoT device will happen within the next two years, warn security experts.
According to security researcher Anurag Sen at Safety Detectives, who discovered the leak in July 2021, the incident is attributed to a misconfigured and unprotected ElasticSearch server and involves more than 610GB of exposed data. The researchers noted they were unsuccessful in their attempts to resume communication with the company after an initial contact.
Banking information relating to customers was not compromised, according to the experts; on the other hand, the leak exposed a vast set of sensitive information including customers’ full names, e-mail addresses, business and residential addresses, company registration and social security numbers.
In addition, all manner of details relating to purchases including dates, times and prices of products sold, as well as copies of invoices and login credentials to the Hariexpress service were also exposed, according to Safety Detectives. The researchers could not estimate the exact number of impacted users, due to the amount of duplicate email addresses found in the exposed set of data, but it is estimated that several thousands of users were potentially affected by the leak.
Moreover, it is not possible to tell whether other parties had access to the data, according to the researchers. The experts warned that the data set, which contains information that directly identifies users of marketplaces integrated by the company, could be used in phishing and social engineering attacks. The report also warned about the potential for other types of crimes such as burglaries, as the data exposed includes residential and business addresses and extortion, since the information also includes purchases of intimate products.
Contacted by ZDNet, the company did not respond to requests for comment. Brazil’s National Data Protection Agency was also contacted for comment on the case and had not responded at the time of publication.