Major German Shopping Site Leaked Customer Data

Uploaded on 2020-09-22 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A popular German online shop children’s clothing  e-commerce platform windeln.de operated an insecure Elastic-Search server, permitting the personal data of 700,000 customers could be accessed via Internet.  

The  public-listed multinational retailer with millions of dollars in annual revenues was discovered to be operating a completely unsecured server, thereby publicly exposing private data belonging to around 700,000 of its customers.

A team from the security firm Safety Detectives discovered a vulnerable and unsecured server located in France, containing more than 6 terabytes of data on customer data, operated by German company windeln.de

The data included names, addresses, phone numbers and payment methods and more customer information. ​The Safety detective team first detected the breach on 13 June 2020 and estimates that the server vulnerability was first exposed on the Internet on 11 June 2020. The ElasticSearch server and its vulnerability were discovered during a routine check of IP addresses on particular ports.

The Safety Detectives team found that the server was completely unsecured and publicly exposed without a password. This means that anyone in possession of the server’s IP address could access the entire database. Safety Detectives tried to reach out to Windeln.de, but nobody ever got back to them.

They then contacted the German CERT in order to inform the company about the data leak. And a few days later, the server got secured.

Who is windeln.de?

First established in 2010, ‘windeln.de’ is a German-based retail company with an online shopping portal catering for baby and toddler products in Europe. The company also operates a large cross-border e-commerce business between Europe and China. The company operates several online mail-order hubs, namely: windeln.de, windeln.ch and Bebitus with China standing as the largest sales market for windeln.de. The parent company claims to serve around 700,000 customers with 40 distinct brands in 7 countries. In 2019, windeln.de generated revenues of €82 million and is currently publicly listed on the Frankfurt stock exchange.

Safety Detectives security team found around 98,000 entries including emails, full names and user IP addresses although some records were missing, duplicated or invalid.

Crucially, several information records referred to children whose parents were using the site. Records showed full names, dates of birth and gender information. Information relating to children is particularly sensitive because malicious hackers can exploit the strong bond between parent and child, by, for example, using the child’s birthday as an opportunity to deploy scams upon the parents. For example, a nefarious individual could use the birthdate to dupe the target into believing they are genuine and exploit that sense of loyalty to deploy various scams via email/telephone or in person.

Around 1,500 entries included emails, full names, phone numbers, addresses, payment methods, order date, product info, customer ID and language preference. 

However, the Safety Detectives security team confirmed that in general, the breach revealed partial records only, so not all pieces of information were available for all users. The team reported that around 128,000 instances of personal information were exposed specifying subscription status, email addresses, full names, IP addresses and order history across windeln.de’s site network.

It is difficult to clarify exactly how many users were affected by the vulnerability although windeln.de states it has served 700,000 customers to date. Some users had every piece of data exposed, whereas others, only had some exposure - presumably because they did not specify all their personal information when signing up and shopping via windeln.de.

Data Breach Impact

The impact of this data breach on users could have been severely problematic for windeln.de and its customers. However, at this stage, it is unknown whether the data made available in the leak was obtained by any third parties or malicious users.
One of the biggest dangers, in this particular case, is the personal impact on users. In this case , the financial records such as payment details or credit card numbers were not leaked, however, a vast amount of personal information means hackers can target a particular individual with phishing, phone and malware scams.

An affected user could be contacted by a hacker pretending to be from windeln.de and with the use of seemingly innocuous data such as purchase history, could convince the user into divulging much more critical data such as financial information or copies of government-IDs. 

Another more sophisticated scam is to send an email showing windeln.de branding and their personal information to incite a click-through. Upon visiting an unsecured website, hackers could potentially install malicious software on the visitor’s computer and thereby gain deeper access to someone’s life.

Preventing Data Exposure

How can consumers prevent your personal information from being exposed in a data leak and ensure that you are not a victim of a cyber-attack? Safety detectives advise the following: 

  • Be cautious of what information you give out and to whom.
  • Check that the website you are on is secure. 
  • Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)
  • Create a secure password by combining letters, numbers, and symbols
  • Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be
  • Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust
  • Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks

Safety Detective:       BornCity:      Technadu

You Might Also Read: 

Why Is Retail Cyber Security So Weak?:

 

« Find Yourself In The Mind Of An Attacker!
TikTok’s Indian Rival Ready For Testing »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

StickyMinds

StickyMinds

StickyMinds is the web's first interactive testing community exclusively engaged in improving software quality throughout the software development lifecycle.

We Watch Your Website

We Watch Your Website

We Watch Your Website provide website monitoring, protection, malware removal and root cause analysis services to help you keep your website secure.

Allgress

Allgress

Allgress solutions converge disparate risk silos across enterprise networks and automate governance, risk and compliance management processes.

ACI Solutions

ACI Solutions

ACI Solutions is a managed IT services and network security provider working with diverse global commercial, government and public sector clients.

Cyxtera Technologies

Cyxtera Technologies

Cyxtera offers powerful, secure IT infrastructure capabilities paired with agile, dynamic software-defined security.

Valtori

Valtori

Government ICT Centre Valtori provides sector-independent ICT services for the central government, while taking into account the special requirements related to security and preparedness.

Swiss Cyber Think Tank (SCTT)

Swiss Cyber Think Tank (SCTT)

The Swiss Cyber Think Tank is a business network for Cyber Risk & Insurability, providing an industry-wide networking platform for insurers, technology and security firms.

Seknox

Seknox

Seknox TRASA™ protects your business from insider threats.

MCPc

MCPc

MCPc improves the security and well-being of our clients. We protect data, manage the complexity and sustainability of technology, empower employee performance, and ultimately reduce business risk.

WhiteHawk

WhiteHawk

WhiteHawk is the first online Cyber Security Exchange. We help you understand your cyber risk and match you to tailored and affordable solutions.

LogicalTrust

LogicalTrust

LogicalTrust security testing specialists find the weakest points in your company and show you how to fix them step-by-step, as well as how to improve your security.

FREE eBook: Practical Guide To Optimizing Your Cloud Deployments

FREE eBook: Practical Guide To Optimizing Your Cloud Deployments

AWS Marketplace eBook: Optimizing your cloud deployments to accelerate cloud activities, reduce costs, and improve customer experience.

3B Data Security

3B Data Security

3B Data Security offer a range of Penetration Testing, Digital Forensics, Incident Response and Data Breach Management Services.

NetCentrics

NetCentrics

NetCentrics leverages an innovative, agile, ‘what’s-next’ approach to our customers’ IT and cyber challenges.

QuantumCTek

QuantumCTek

QuantumCTek is a Chinese pioneer and leader in commercialized quantum information technology (QIT).

Waterleaf International

Waterleaf International

Waterleaf provide advanced network and cybersecurity solutions - informed by data sciences. Transforming Connectivity, Security and Information for Municipalities, Government & Enterprise.