Cybersecurity researchers at SafetyDetectives uncovered that Brazilian marketplace integrator platform Hariexpress exposed nearly 1.8 billion records-worth of the private customer and seller data, after misconfiguring an Elasticsearch server.
Earlier this year in June, SafetyDetectives researchers unearthed exposed data and were able to trace the leak back to Hariexpress. Hariexpress is a firm that allows vendors to manage and automate their activity across several marketplaces such as Facebook, Amazon, Magazine Luiza, and Mercado Livre.
According to researchers, the company’s Elasticsearch server was left unencrypted with no password protection in place. It contained 610GB of data, including users’ full names, home, and delivery addresses, contact numbers, and billing details including billing addresses. Also leaked were vendors’ full names, CPF numbers, billing details, contact numbers, email and business/home addresses, and CNPJ numbers (National Register of Brazilian business).
However, SafetyDetectives could not estimate the total number of victims due to the size of the trove and the potential for fake email addresses.
“A data breach of this magnitude could easily affect hundreds of thousands, if not millions of Brazilian Hariexpress users and e-commerce shoppers. Hariexpress’ leaked server’s content could also affect its own business,” SafetyDetectives stated.
Additionally, it is not possible to know if another party has accessed the data, according to researchers. Experts have warned that datasets containing information that directly identifies customers in the marketplace integrated by the firm could be used in phishing and social engineering attacks. The report also includes the purchase of intimate products, so the exposed data includes residence and company addresses, blackmail, and other types of crimes such as robbery are possible.
“We cannot know whether unethical hackers have discovered Hariexpress’ unsecured Elasticsearch server. Users, couriers, consumers, and Hariexpress itself should understand the risks they could face from this data breach,” researchers added.
According to security experts, victims can cover up their damage because Brazil’s data protection law, the Lei Geral de Proteção de Dados (LGPD), apparently provide regulators the power to fine companies a maximum of 2% of the previous year’s revenue for violating the law, up to 50 million Brazilian reals ($10m). Due to the scale of the problem, Safety Detectives also recommends ecommerce users double their awareness of phishing attempts and particularly social engineering frauds.