A database in a plain-text format containing nearly a million customer records was exposed online, according to security researcher Jeremiah Fowler and the Website Planet research team. Researchers discovered a non-password-protected Elasticsearch database on March 3rd.
The improperly protected cloud database belonged to Office Depot Europe, as there were multiple references to the company in the records. The researchers immediately sent a responsible disclosure to Office Depot. The company secured the database within hours and sent a letter of gratitude to the researchers.
Before the security measures had been taken, the database exposed records that were labeled as “Production” and contained customer names, phone, physical addresses, and more, according to the Website Planet researchers who viewed the data. In addition, it contained the monitoring and file logs exposing confidential internal records of Office Depot.
On March 5th they received a reply from the Office Depot Europe Security Operations team thanking them for the alert and raising awareness about the exposed data.
If the data had leaked to cybercriminals, they could have used it to target Office Depot customers in social engineering or phishing attacks.
According to the Website Planet researchers, the database contained a total of 974,050 records. It exposed indices including monitoring-kibana, Apm-metric, filebeat, and heartbeat logs; host names, IP addresseses; *SSH Login information, dashboard and user group logs of internal employees, European customer records mostly referencing Germany; customer PIIs such as names, phone numbers, physical addresses (home and/or office), @members.ebay addresses, and hashed passwords; and Marketplace logs and order history, exposing the customers’ past purchases and costs.
Besides the above, the records exposed detailed information about the inner setup of the network that would give a potential attacker a clear understanding of how to exploit known vulnerabilities or suggest other intrusive methods.