Major German Shopping Site Leaked Customer Data

Uploaded on 2020-09-22 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A popular German online shop children’s clothing  e-commerce platform windeln.de operated an insecure Elastic-Search server, permitting the personal data of 700,000 customers could be accessed via Internet.  

The  public-listed multinational retailer with millions of dollars in annual revenues was discovered to be operating a completely unsecured server, thereby publicly exposing private data belonging to around 700,000 of its customers.

A team from the security firm Safety Detectives discovered a vulnerable and unsecured server located in France, containing more than 6 terabytes of data on customer data, operated by German company windeln.de

The data included names, addresses, phone numbers and payment methods and more customer information. ​The Safety detective team first detected the breach on 13 June 2020 and estimates that the server vulnerability was first exposed on the Internet on 11 June 2020. The ElasticSearch server and its vulnerability were discovered during a routine check of IP addresses on particular ports.

The Safety Detectives team found that the server was completely unsecured and publicly exposed without a password. This means that anyone in possession of the server’s IP address could access the entire database. Safety Detectives tried to reach out to Windeln.de, but nobody ever got back to them.

They then contacted the German CERT in order to inform the company about the data leak. And a few days later, the server got secured.

Who is windeln.de?

First established in 2010, ‘windeln.de’ is a German-based retail company with an online shopping portal catering for baby and toddler products in Europe. The company also operates a large cross-border e-commerce business between Europe and China. The company operates several online mail-order hubs, namely: windeln.de, windeln.ch and Bebitus with China standing as the largest sales market for windeln.de. The parent company claims to serve around 700,000 customers with 40 distinct brands in 7 countries. In 2019, windeln.de generated revenues of €82 million and is currently publicly listed on the Frankfurt stock exchange.

Safety Detectives security team found around 98,000 entries including emails, full names and user IP addresses although some records were missing, duplicated or invalid.

Crucially, several information records referred to children whose parents were using the site. Records showed full names, dates of birth and gender information. Information relating to children is particularly sensitive because malicious hackers can exploit the strong bond between parent and child, by, for example, using the child’s birthday as an opportunity to deploy scams upon the parents. For example, a nefarious individual could use the birthdate to dupe the target into believing they are genuine and exploit that sense of loyalty to deploy various scams via email/telephone or in person.

Around 1,500 entries included emails, full names, phone numbers, addresses, payment methods, order date, product info, customer ID and language preference. 

However, the Safety Detectives security team confirmed that in general, the breach revealed partial records only, so not all pieces of information were available for all users. The team reported that around 128,000 instances of personal information were exposed specifying subscription status, email addresses, full names, IP addresses and order history across windeln.de’s site network.

It is difficult to clarify exactly how many users were affected by the vulnerability although windeln.de states it has served 700,000 customers to date. Some users had every piece of data exposed, whereas others, only had some exposure - presumably because they did not specify all their personal information when signing up and shopping via windeln.de.

Data Breach Impact

The impact of this data breach on users could have been severely problematic for windeln.de and its customers. However, at this stage, it is unknown whether the data made available in the leak was obtained by any third parties or malicious users.
One of the biggest dangers, in this particular case, is the personal impact on users. In this case , the financial records such as payment details or credit card numbers were not leaked, however, a vast amount of personal information means hackers can target a particular individual with phishing, phone and malware scams.

An affected user could be contacted by a hacker pretending to be from windeln.de and with the use of seemingly innocuous data such as purchase history, could convince the user into divulging much more critical data such as financial information or copies of government-IDs. 

Another more sophisticated scam is to send an email showing windeln.de branding and their personal information to incite a click-through. Upon visiting an unsecured website, hackers could potentially install malicious software on the visitor’s computer and thereby gain deeper access to someone’s life.

Preventing Data Exposure

How can consumers prevent your personal information from being exposed in a data leak and ensure that you are not a victim of a cyber-attack? Safety detectives advise the following: 

  • Be cautious of what information you give out and to whom.
  • Check that the website you are on is secure. 
  • Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)
  • Create a secure password by combining letters, numbers, and symbols
  • Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be
  • Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust
  • Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks

Safety Detective:       BornCity:      Technadu

You Might Also Read: 

Why Is Retail Cyber Security So Weak?:

 

« Find Yourself In The Mind Of An Attacker!
TikTok’s Indian Rival Ready For Testing »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Council of Europe - Cybercrime Programme Office (C-PROC)

Council of Europe - Cybercrime Programme Office (C-PROC)

The Cybercrime Programme Office of the Council of Europe is responsible for assisting countries worldwide in strengthening their legal systems capacity to respond to cybercrime

NextLabs

NextLabs

NextLabs provides data-centric security software to protect business-critical data and applications.

Grimm Cyber

Grimm Cyber

GRIMM makes the world a more secure place by increasing the cyber resiliency of our client’s systems, networks, and products.

Oznet Cyber Security

Oznet Cyber Security

Oznet Cyber Security is dedicated to offering integral solutions oriented to the support and security of information.

Spanish Network of Excellence on Cybersecurity Research (RENIC)

Spanish Network of Excellence on Cybersecurity Research (RENIC)

RENIC is a membership based sectoral association that includes research centers and other agents of the research cybersecurity ecosystem in Spain.

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

TDRA focuses on regulating the telecommunications sector and enabling government entities in the field of smart transformation. It is responsible for the overall digital infrastructure in the UAE.

Field Effect Software

Field Effect Software

Field Effect Software build sophisticated and integrated IT security, threat surface reduction, training and simulation capabilities for enterprises and small businesses.

Thrive

Thrive

Thrive delivers the experience, resources, and expertise needed to create a comprehensive cyber security plan that covers your vital data, SaaS applications, end users, and critical infrastructure.

Ethyca

Ethyca

Ethyca builds automated data privacy infrastructure and tools for developers and privacy teams to easily build products that comply with GDPR, CCPA Privacy Regulations.

UK Cyber Security Council (UKCSC)

UK Cyber Security Council (UKCSC)

The role of The UK Cyber Security Council is to champion the cybersecurity profession across the UK, provide representation for the industry, accelerate awareness and promote excellence.

Foundries.io

Foundries.io

Foundries.io have built a secure, open source platform for the world's connected devices, and a cloud service to configure this to any hardware and any cloud.

Security & Intelligence Division (SID) - Singapore

Security & Intelligence Division (SID) - Singapore

Security & Intelligence Division (SID) protects Singapore from external threats and safeguards its interests in areas related to terrorism, cyber security, other transnational threats, and geopolitics

Ermetic

Ermetic

Ermetic’s identity-first cloud infrastructure security platform provides holistic, multi-cloud protection in an easy-to-deploy SaaS solution.

AddSecure

AddSecure

AddSecure is a leading European provider of secure IoT connectivity and end-to-end solutions.

Linx Security

Linx Security

The Linx Identity Security platform enables identity, security, and IT ops teams to finally control the whole identity lifecycle.

Defend-OT

Defend-OT

Defend-OT is a Belgium-based cybersecurity firm specializing in OT environments.