Brazilian e-commerce company Hariexpress leaks 1.75 billion sensitive files

About 1.75 billion sensitive files have been leaked by a Brazilian e-commerce integrator that provides services to some of the country’s largest online shopping sites.

Hariexpress is headquartered in São Paulo and integrates multiple processes into a single platform to improve the efficiency and operational capacity of retailers with more than one e-commerce store. Some of the company’s clients include Magazine Luiza, Mercado Livre, Amazon, and B2W Digital. The national postal service, Correios, is also among the company’s partners and has also been affected by the incident.

According to security researcher Anurag Sen of Safety Detectives, who discovered the leak in July 2021, the incident is attributed to an improperly configured and unprotected Elasticsearch server and involves more than 610 GB of data exposed. The researchers noted that they had failed to resume communication with the company after initial contact.

Banking information relating to customers has not been compromised, experts say; On the other hand, the leak exposed a vast body of sensitive information, including full customer names, email addresses, business and home addresses, company registration and social security numbers.

In addition, all kinds of purchase details including dates, times and prices of products sold, as well as copies of invoices and Hariexpress service login credentials were also exposed, according to Safety Detectives. Researchers could not estimate the exact number of impacted users, due to the amount of duplicate email addresses found in the exposed dataset, but it is estimated that several thousand users were potentially affected by the leak.

In addition, it is not possible to say whether other parties had access to the data, according to the researchers. Experts have warned that the dataset, which contains information directly identifying users of the company’s integrated marketplaces, could be used in phishing and social engineering attacks. The report also warns of the potential for other types of crimes such as burglaries, as the data exposed includes residential and business addresses and extortion, as the information also includes purchases of intimate goods.

Contacted by ZDNet, the company did not respond to requests for comment. Brazil’s National Data Protection Agency was also contacted for comment on the case and had not responded at the time of publication.

Source link

Comments are closed.