Major German Shopping Site Leaked Customer Data

Uploaded on 2020-09-22 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A popular German online shop children’s clothing  e-commerce platform windeln.de operated an insecure Elastic-Search server, permitting the personal data of 700,000 customers could be accessed via Internet.  

The  public-listed multinational retailer with millions of dollars in annual revenues was discovered to be operating a completely unsecured server, thereby publicly exposing private data belonging to around 700,000 of its customers.

A team from the security firm Safety Detectives discovered a vulnerable and unsecured server located in France, containing more than 6 terabytes of data on customer data, operated by German company windeln.de

The data included names, addresses, phone numbers and payment methods and more customer information. ​The Safety detective team first detected the breach on 13 June 2020 and estimates that the server vulnerability was first exposed on the Internet on 11 June 2020. The ElasticSearch server and its vulnerability were discovered during a routine check of IP addresses on particular ports.

The Safety Detectives team found that the server was completely unsecured and publicly exposed without a password. This means that anyone in possession of the server’s IP address could access the entire database. Safety Detectives tried to reach out to Windeln.de, but nobody ever got back to them.

They then contacted the German CERT in order to inform the company about the data leak. And a few days later, the server got secured.

Who is windeln.de?

First established in 2010, ‘windeln.de’ is a German-based retail company with an online shopping portal catering for baby and toddler products in Europe. The company also operates a large cross-border e-commerce business between Europe and China. The company operates several online mail-order hubs, namely: windeln.de, windeln.ch and Bebitus with China standing as the largest sales market for windeln.de. The parent company claims to serve around 700,000 customers with 40 distinct brands in 7 countries. In 2019, windeln.de generated revenues of €82 million and is currently publicly listed on the Frankfurt stock exchange.

Safety Detectives security team found around 98,000 entries including emails, full names and user IP addresses although some records were missing, duplicated or invalid.

Crucially, several information records referred to children whose parents were using the site. Records showed full names, dates of birth and gender information. Information relating to children is particularly sensitive because malicious hackers can exploit the strong bond between parent and child, by, for example, using the child’s birthday as an opportunity to deploy scams upon the parents. For example, a nefarious individual could use the birthdate to dupe the target into believing they are genuine and exploit that sense of loyalty to deploy various scams via email/telephone or in person.

Around 1,500 entries included emails, full names, phone numbers, addresses, payment methods, order date, product info, customer ID and language preference. 

However, the Safety Detectives security team confirmed that in general, the breach revealed partial records only, so not all pieces of information were available for all users. The team reported that around 128,000 instances of personal information were exposed specifying subscription status, email addresses, full names, IP addresses and order history across windeln.de’s site network.

It is difficult to clarify exactly how many users were affected by the vulnerability although windeln.de states it has served 700,000 customers to date. Some users had every piece of data exposed, whereas others, only had some exposure - presumably because they did not specify all their personal information when signing up and shopping via windeln.de.

Data Breach Impact

The impact of this data breach on users could have been severely problematic for windeln.de and its customers. However, at this stage, it is unknown whether the data made available in the leak was obtained by any third parties or malicious users.
One of the biggest dangers, in this particular case, is the personal impact on users. In this case , the financial records such as payment details or credit card numbers were not leaked, however, a vast amount of personal information means hackers can target a particular individual with phishing, phone and malware scams.

An affected user could be contacted by a hacker pretending to be from windeln.de and with the use of seemingly innocuous data such as purchase history, could convince the user into divulging much more critical data such as financial information or copies of government-IDs. 

Another more sophisticated scam is to send an email showing windeln.de branding and their personal information to incite a click-through. Upon visiting an unsecured website, hackers could potentially install malicious software on the visitor’s computer and thereby gain deeper access to someone’s life.

Preventing Data Exposure

How can consumers prevent your personal information from being exposed in a data leak and ensure that you are not a victim of a cyber-attack? Safety detectives advise the following: 

  • Be cautious of what information you give out and to whom.
  • Check that the website you are on is secure. 
  • Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)
  • Create a secure password by combining letters, numbers, and symbols
  • Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be
  • Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust
  • Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks

Safety Detective:       BornCity:      Technadu

You Might Also Read: 

Why Is Retail Cyber Security So Weak?:

 

« Find Yourself In The Mind Of An Attacker!
TikTok’s Indian Rival Ready For Testing »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

We Watch Your Website

We Watch Your Website

We Watch Your Website provide website monitoring, protection, malware removal and root cause analysis services to help you keep your website secure.

Aptive Consulting

Aptive Consulting

Aptive is a cyber security consultancy providing Penetration Testing and Vulnerability Assessment services.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Cyber Security & Information Systems Information Analysis Center (CSIAC)

Cyber Security & Information Systems Information Analysis Center (CSIAC)

CSIAC is chartered to leverage best practices and expertise from government, industry, and academia on cyber security and information technology.

Kudelski Security

Kudelski Security

Kudelski Security is an international cybersecurity company providing innovative, independent and tailored security solutions for large enterprise and public sector clients.

Digital Guardian

Digital Guardian

Digital Guardian is a next generation data protection platform designed to stop data theft.

SecureKey Technologies

SecureKey Technologies

SecureKey is a leading identity and authentication provider that simplifies consumer access to online services and applications.

Horangi

Horangi

Horangi provides security products and services that enable the rapid delivery of Incident Response and threat detection for our customers who lack the scale, expertise, or time to do it themselves.

Shift Technology

Shift Technology

Shift Technology provides insurance companies with an innovative SaaS solution to improve and scale fraud detection.

Aptible

Aptible

Security Management and Compliance for Developers. Aptible helps teams pass information security audits and deploy audit-ready apps and databases.

Sovereign Intelligence

Sovereign Intelligence

Sovereign Intelligence provides automated insight into the relative intensity of hidden Cyber, Brand, and Financial Risks to your company.

NuID

NuID

NuID is a pioneer in trustless authentication and decentralized digital identity.

Tactical Network Systems (TNS)

Tactical Network Systems (TNS)

Tactical Network Solutions helps you discover hidden attack vectors in IoT and connected devices before someone else does.

Techfusion

Techfusion

Techfusion is a cyber security research and consulting firm focusing on digital forensics and data recovery.

SecureDrives

SecureDrives

Passwordless Authentication & Encrypted Data Storage Solutions from SecureDrives. We are enabling organisations to work safely and securely, using technology driven solutions.

Execweb

Execweb

Execweb are a cybersecurity executive network, comprised of 400+ security practitioners who work at Fortune 500 and SME companies.