Major German Shopping Site Leaked Customer Data

Uploaded on 2020-09-22 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A popular German online shop children’s clothing  e-commerce platform windeln.de operated an insecure Elastic-Search server, permitting the personal data of 700,000 customers could be accessed via Internet.  

The  public-listed multinational retailer with millions of dollars in annual revenues was discovered to be operating a completely unsecured server, thereby publicly exposing private data belonging to around 700,000 of its customers.

A team from the security firm Safety Detectives discovered a vulnerable and unsecured server located in France, containing more than 6 terabytes of data on customer data, operated by German company windeln.de

The data included names, addresses, phone numbers and payment methods and more customer information. ​The Safety detective team first detected the breach on 13 June 2020 and estimates that the server vulnerability was first exposed on the Internet on 11 June 2020. The ElasticSearch server and its vulnerability were discovered during a routine check of IP addresses on particular ports.

The Safety Detectives team found that the server was completely unsecured and publicly exposed without a password. This means that anyone in possession of the server’s IP address could access the entire database. Safety Detectives tried to reach out to Windeln.de, but nobody ever got back to them.

They then contacted the German CERT in order to inform the company about the data leak. And a few days later, the server got secured.

Who is windeln.de?

First established in 2010, ‘windeln.de’ is a German-based retail company with an online shopping portal catering for baby and toddler products in Europe. The company also operates a large cross-border e-commerce business between Europe and China. The company operates several online mail-order hubs, namely: windeln.de, windeln.ch and Bebitus with China standing as the largest sales market for windeln.de. The parent company claims to serve around 700,000 customers with 40 distinct brands in 7 countries. In 2019, windeln.de generated revenues of €82 million and is currently publicly listed on the Frankfurt stock exchange.

Safety Detectives security team found around 98,000 entries including emails, full names and user IP addresses although some records were missing, duplicated or invalid.

Crucially, several information records referred to children whose parents were using the site. Records showed full names, dates of birth and gender information. Information relating to children is particularly sensitive because malicious hackers can exploit the strong bond between parent and child, by, for example, using the child’s birthday as an opportunity to deploy scams upon the parents. For example, a nefarious individual could use the birthdate to dupe the target into believing they are genuine and exploit that sense of loyalty to deploy various scams via email/telephone or in person.

Around 1,500 entries included emails, full names, phone numbers, addresses, payment methods, order date, product info, customer ID and language preference. 

However, the Safety Detectives security team confirmed that in general, the breach revealed partial records only, so not all pieces of information were available for all users. The team reported that around 128,000 instances of personal information were exposed specifying subscription status, email addresses, full names, IP addresses and order history across windeln.de’s site network.

It is difficult to clarify exactly how many users were affected by the vulnerability although windeln.de states it has served 700,000 customers to date. Some users had every piece of data exposed, whereas others, only had some exposure - presumably because they did not specify all their personal information when signing up and shopping via windeln.de.

Data Breach Impact

The impact of this data breach on users could have been severely problematic for windeln.de and its customers. However, at this stage, it is unknown whether the data made available in the leak was obtained by any third parties or malicious users.
One of the biggest dangers, in this particular case, is the personal impact on users. In this case , the financial records such as payment details or credit card numbers were not leaked, however, a vast amount of personal information means hackers can target a particular individual with phishing, phone and malware scams.

An affected user could be contacted by a hacker pretending to be from windeln.de and with the use of seemingly innocuous data such as purchase history, could convince the user into divulging much more critical data such as financial information or copies of government-IDs. 

Another more sophisticated scam is to send an email showing windeln.de branding and their personal information to incite a click-through. Upon visiting an unsecured website, hackers could potentially install malicious software on the visitor’s computer and thereby gain deeper access to someone’s life.

Preventing Data Exposure

How can consumers prevent your personal information from being exposed in a data leak and ensure that you are not a victim of a cyber-attack? Safety detectives advise the following: 

  • Be cautious of what information you give out and to whom.
  • Check that the website you are on is secure. 
  • Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)
  • Create a secure password by combining letters, numbers, and symbols
  • Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be
  • Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust
  • Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks

Safety Detective:       BornCity:      Technadu

You Might Also Read: 

Why Is Retail Cyber Security So Weak?:

 

« Find Yourself In The Mind Of An Attacker!
TikTok’s Indian Rival Ready For Testing »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cloud Foundry Foundation (CFF)

Cloud Foundry Foundation (CFF)

Cloud Foundry supports the full application development lifecycle, from inception, through all testing stages, to deployment.

Zix

Zix

Zix offers secure email encryption, threat protection, archiving, DLP and BYOD security for hospitals, financial services, government, and more.

Assured Enterprises

Assured Enterprises

Assured Enterprises provides comprehensive cyber risk identification, management and mitigation across all platforms.

HCL Technologies

HCL Technologies

HCL offer an integrated portfolio of products, solutions and services built around Digital, IoT, Cloud, Automation, Cybersecurity, Analytics, Infrastructure Management and Engineering Services.

Gospel Technology

Gospel Technology

Gospel presents a totally new way of accessing and controlling data which is enterprise grade scalable, highly resilient, and secure.

Tyler Technologies

Tyler Technologies

Tyler Technologies is a leading provider of end-to-end information management solutions and services for local governments.

FraudLabs Pro

FraudLabs Pro

FraudLabs Pro detects fraud and helps merchants to reduce e-commerce chargebacks by identifying high risk transactions.

Scarlett Cybersecurity

Scarlett Cybersecurity

Scarlett Cybersecurity provide cybersecurity services to US private and public organizations with specific emphasis on compliance and cybersecurity incident prevention, detection, and response.

Framatome

Framatome

Framatome Cybersecurity portfolio is directly inspired by its unique experience in nuclear safety for critical information systems and electrical systems design.

BriskInfosec Technology & Consulting

BriskInfosec Technology & Consulting

BriskInfosec provides information security services, products and compliance solutions to our customers.

Cyber Capital Partners

Cyber Capital Partners

Cyber Capital Partners build strategic and financial partnerships with small and mid-sized cybersecurity companies in highly regulated markets.

Vana Solutions

Vana Solutions

Vana Solutions is an Information Technology Services company. We help commercial & federal organizations select, adapt, and integrate the right technology solution so you can move faster.

Cyabra

Cyabra

Cyabra is leading the fight against disinformation. Our AI shields companies and the public sector by uncovering malicious actors, bot networks, and GenAI content.

Anagram

Anagram

Anagram is the world’s first human-driven security awareness training platform that delivers real results.

Cyberscope

Cyberscope

Cyberscope is a Web3 security firm specializing in smart contract audits, crypto security audits, and blockchain vulnerability assessments.

LabEx

LabEx

LabEx is an AI-Powered learning platform with labs spanning from Linux devops to web development and cybersecurity.