Hariexpress, a Brazilian e-commerce entity that provides services to several of the country’s major online shopping websites, exposed about 1.75 billion confidential files.
Hariexpress is based in Sao Paulo and integrates different processes into one platform to help businesses with multiple e-commerce stores increase efficiency and operational competence.
Magazine Luiza, Mercado Livre, Amazon, and B2W Digital are among the company’s clientele. The national postal service, Correios, is one of its partners, and it was also affected by the event.
The problem is attributable to a misconfigured and unsecured ElasticSearch server, said the security researcher Anurag Sen of Safety Detectives, who found the leak in July 2021. It contains more than 610GB of exposed data. The researchers noticed that after initial contact, they were unable to re-establish contact with the firm.
Experts confirm that client banking information was not compromised. However, the leak revealed a large amount of personal data, including complete names, business and residential addresses, e-mail addresses, social security numbers, and company registration numbers.
According to Safety Detectives, all sorts of purchase data, including dates, hours, and prices of items sold, as well as copies of invoices and login passwords to the Hariexpress service, were also revealed.
Due to the large number of duplicate e-mail addresses identified in the leaked data, the researchers could not estimate the precise number of individuals affected. However, the breach likely affected thousands of people.
Furthermore, it is impossible to determine whether or not other parties had access to the information. Experts warn that the exposed data set may be abused in phishing and social engineering attacks.
Because of the type of information leaked, other crimes like burglary and extortion cannot be ruled out entirely.
