A Brazilian e-commerce firm has unwittingly exposed close to 1.8 billion records, including customers’ and sellers’ personal information, after misconfiguring an Elasticsearch server, according to researchers.
A team at SafetyDetectives led by Anurag Sen made the discovery in June and quickly traced the leak back to Hariexpress — a firm that allows vendors to manage and automate their activity across multiple marketplaces, including Facebook and Amazon.
Although the firm replied to the researchers just four days after they alerted it to the leak in early July, it was subsequently uncontactable. Infosecurity can confirm that the issue has now been fixed.
The server was left unencrypted with no password protection in place. It contained 610GB of data, including customers’ full names, home and delivery addresses, phone numbers and billing details. Also exposed were sellers’ full names, email and business/home addresses, phone numbers and business/tax IDs (CNPJ/CPF).