A security breach in a Brazilian platform that integrates marketplaces exposed more than 1.7 billion sensitive customer and store data registered on e-commerce sites. The amount of leaked information was estimated to be over 610 GB.
The discovery was made by the team of expert Anurag Sem, from Safety Detectives, a cybersecurity laboratory that works to help the community defend itself against cyber threats, and was published last Tuesday (12).
In the publication, it was explained that the critical flaw is in the system of Hariexpress, a company based in São Paulo (Capital) that integrates e-commerces with different marketplaces. A bad configuration of ElasticSearch, which is an open source search engine, ended up leaving PII (Personally Identifiable Information) calls open for access.
“Hariexpress’ ElasticSearch server was left unencrypted, with no password protection,” says an excerpt from the report released by Safety Detectives.
Bad configuration in ElasticSearch allowed access to PII
According to the Hariexpress website, it serves several of the largest sales companies that offer services for e-commerce in the country, such as Mercado Livre, B2W Digital (Americanas, Submarino and others), Amazon, Shopee and Magazine Luiza . The company also has Correios as a client, which also had data exposed.
What was leaked?
The Safety Detectives publication explains that, in addition to details of purchases and orders made in e-commerces, personal customer information was leaked such as:
- Full names and usernames across platforms;
- Email address;
- Phone numbers;
- Full delivery addresses;
- Billing details (including billing addresses and the amount paid for the goods);
- Images of the delivered goods.
In the case of sellers, information such as:
- Full names of vendors and usernames on the platform;
- Email addresses;
- Phone numbers;
- Commercial and residential addresses;
- Billing details (including unit price and time of sale).
In addition to the amount of sensitive data, the Safety Detectives report points out that ElasticSearch’s programming flaw exposed PII as links to invoice images (which included names and addresses of buyers and sellers); internal usernames and encrypted passwords (for each Hariexpress business account) and even order tracking numbers.
The cybersecurity lab even brought screenshots to show that the information was actually accessible by ElasticSearch. In one of the orders, it was possible to access all the details of a person who bought a “penile stretcher” at Mercado Livre. Check out the blurry images below that prove the leaks.
The leaked order details contain consumer and supplier information
The leak includes information such as the CPF
According to the details of an order, it was possible to verify that it was a “penis elongator” on Mercado Livre
It was also possible to access an Amazon invoice with details
From shopkeepers and merchants it was possible to access CNPJ numbers and other data
“The vast size of the server makes it difficult to know exactly how many people were affected by this breach. We know there were thousands of email address entries in the server logs and as such we can assume that thousands of people were affected. , an accurate estimate is difficult due to the presence of duplicate email address entries,” says another excerpt from the document.
Despite being one of several data leaks that took place in 2021, this case was considered quite serious by Safety Detectives. The group claims that the Hariexpress server may have been exposed on May 12, 2021 and was accessible for at least a month, as the team discovered the problem after that time. The researchers add that it is not possible to know whether ethical hackers, also called “white hats”, had discovered the security hole before.
“A data breach of this magnitude could easily affect hundreds of thousands, if not millions of Brazilian Hariexpress users and e-commerce buyers. The leaked server content could also affect the company’s own business,” defends the laboratory.
Because of the magnitude of the problem, Safety Detectives advises e-commerce customers to redouble their attention with phishing attempts and especially scams using social engineering.
The group exemplified that with the information available, scammers can build a well-structured narrative that they are employees of the Post Office and need to know some kind of confirmation and ask to enter some malicious link, for example.
O TechWorld contacted the companies to see what actions were taken to try to get around the problem. Amazon, B2W Digital, Correios, Mercado Livre and Shopee have not yet responded to the questions until the publication of this article.
Magazine Luiza informed, in a note, that “it counted on HariExpress as one of its integrators for a period of ten months. During this period, HariExpress added only 30 sellers [vendedores] to the company’s platform and recorded 12 sales made. So far, Magalu has not registered any data leaks and is constantly monitoring the security of its information.”
The report also contacted Hariexpress to find out if the security breach has been fixed, but until the report was closed we have not received any feedback yet.