Elasticsearch Server with No Password or Encryption Leaks a Million Records

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte. StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities. Safety Detectives wrote that full names, phone numbers, physical addresses, email addresses, and even device types were among the exposed data. Customers’ orders, plus the locations they ordered from and the times at which they ordered, were also open to the world. Safety Detectives asserts that order details included “partially masked credit card information.”

Information about StoreHub users’ staff was also exposed. So were access tokens that could allow miscreants to alter users’ StoreHub-powered sites.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top