Ecco, a global shoe manufacturer and retailer, exposed millions of documents. Not only could anyone has modified the data, but the server misconfiguration’s severity likely left the company open to an attack that could have affected customers all over the world.
Cybernews research team discovered an exposed instance hosting a trove of data for Ecco. The team has identified that Ecco left 50 indices exposed to the public, with over 60GB of data accessible since June 2021.
Millions of sensitive documents, from sales to system information, were accessible. Anyone with access could have viewed, edited, copied and stolen, or deleted the data.
They reached out to Ecco but received no reply before going to press. However, at the time of publishing, the company appears to have fixed the problem.
The research team recently discovered an exposed instance that hosts Kibana, an ElasticSearch visualization dashboard, for Ecco. Kibana allows processing of information on ElasticSearch, a storage facility favored by enterprises dealing with large volumes of data.
Even though the instance hosting the dashboard was protected with a basic Hypertext Transfer Protocol (HTTP) authentication, the server was misconfigured and allowed all Application Programming Interface (API) requests through. Under an umbrella with leaky shoes, indeed.