Apparel Group, a fashion and lifestyle titan distributing Adidas, Asics, Levi‘s, and other world-renowned brands, has leaked several million shipping labels, exposing customer names and home addresses.
Even though cybersecurity has never been as trendy, it’s definitely not for all. For example, the Cybernews research team recently discovered a misconfigured AWS bucket containing nearly 2.4 million files.
The exposed instance belongs to Apparel Group, a UAE-based fashion and retail conglomerate with revenues exceeding $3.5 billion. The company operates thousands of retail shops and online commerce websites. Its portfolio includes over 80 world-renowned brands, such as Adidas, Aldo, Asics, Birkenstock, Calvin Klein, Crocs, Levi’s, and many others.
“Since Apparel Group is a highly renowned player in the retail industry, the exposed bucket may have affected millions of its clients. Attackers can use the leaked data to conduct sophisticated scams and phishing attacks, impersonating reputable businesses, sending fraudulent communications that demand urgent verification of sensitive information, and so on,” our researchers explained.
Worryingly, despite multiple attempts to contact the company, the bucket remains accessible to the public. We have contacted the company for a comment and will update the article once we receive a reply.
“For instance, attackers might send emails or text messages impersonating a delivery service or retailer, claiming that a package is on the way but requires urgent verification of payment or personal information,”
researchers said.
What Apparel Group data was leaked?
The exposed bucket contains nearly 2.4 million files, mostly shipping labels, from various brands the company represents, revealing sensitive customer data. The leaked labels reveal:
- Full names
- Home addresses
- Phone numbers
- Order details
According to the team, attackers can find numerous ways to exploit leaked details. For example, access to order-related data allows cybercrooks to convincingly impersonate businesses that victims have recently interacted with.
“For instance, attackers might send emails or text messages impersonating a delivery service or retailer, claiming that a package is on the way but requires urgent verification of payment or personal information. By referencing specific orders, these communications can appear legitimate, prompting recipients to respond quickly, often without proper verification,” researchers said.
Crafty cybercrooks might take advantage of the leaked phone numbers. For example, scammers can initiate fraudulent calls supposedly coming from legitimate organizations such as banks or well-known retailers. Data on shipping details, at least in theory, could add credibility to such tactics.
Moreover, personal details are crucial enablers that attackers utilize to peddle malware. Impersonation tactics allow malicious actors to peddle messages with malicious links, which lead victims to download malicious content.
“Messages that reference products or services related to the leaked order information can entice victims to click on malicious links or harmful attachments. Unsuspecting victims could be guided to install stealer malware, leading to even further data loss,“ researchers said.
To avoid similar mishaps in the future, researchers advise to:
- Change the access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorized users or services have the necessary access
- Retrospectively monitor access logs to assess whether the bucket has been accessed by unauthorized actor
- Use AWS Key Management Service (KMS) to manage encryption keys securely
- Consider implementing best practices like regular audits, automated security checks, and employee training
- Leak discovered: October 9th, 2024
- Initial disclosure: October 9th, 2024
- CISA contacted: January 2nd, 2025
Your email address will not be published. Required fields are markedmarked