Online retailer Esquimal leaked the data of thousands of users via an open server. Threat actors apparently noticed this and hit the company with ransomware.
The Cybernews research team discovered an unprotected server with over 77,000 entries of personal identifiable information (PII), such as names, email addresses, and phone numbers.
The open dataset belongs to customers of Esquimal, an online Spanish-language retailer based in Mexico. According to our researchers, it contained 9.2GB worth of vulnerable data.
Interestingly, the dataset was mostly made up of details entered by Esquimal customers who used the live chat functionality on the retailer’s website, which was left unprotected.
"Whenever a company is hacked, they will bear the impact financially, reputationally, and depending on other circumstances, executives or boards can be held liable with civil, even possibly criminal, charges,"Jai Dargan told Cybernews.
Customer PII was not the only thing Esquimal left accessible. The dataset also contained plaintext credentials for its support email. Threat actors could use this information to log in to company databases and access more information about customers.
For example, the credentials found on the database could allow threat actors to take over Esquimal’s customer support system, potentially opening access to all of the information that the company stores on customers, excluding order data.
Our team discovered that Esquimal’s dataset stored a private key used to decrypt messages sent using Rocket.Chat, an open-source platform that businesses use to communicate with their clients.
Esquimal’s Rocket.Chat account was configured to allow communication with clients via WhatsApp and Facebook Messenger.
“Most customer support systems collect a large amount of personal information, often way more than is needed to process the request. That means that users who want to fix, for example, billing-related issues, cannot do that without exposing this information,” the Cybernews team said.
Additionally, the open servers held emails, names, and passwords belonging to 33 Esquimal employees. However, unlike support email credentials, employee data was hashed to protect it from easy access.
The leaky server was likely spotted by threat actors with far more nefarious purposes than research. When our team returned to see if the open instance was closed after reaching out to Esquimal, they noticed somebody else had visited the server.
Researchers claim that they found a ransom note demanding the company pay EUR3,000 to a specified cryptocurrency wallet.
Two days later, the ransom note was gone. However, even after the company was hit with ransomware and apparently knew about the issue, Esquimal continued to store sensitive information insecurely.
However, data that our researchers found before the attack was no longer present, which could indicate that Esquimal chose not to pay the ransom and opted instead to rebuild the breached database.
We reached out to Esquimal for comment but received no reply before publishing this article.
"Most customer support systems collect a large amount of personal information, often way more than is needed to process the request,"the Cybernews team said.
Businesses often leave sensitive databases open because security is rarely their primary concern, Jai Dargan, a cybersecurity expert at Axio, told Cybernews.
According to him, security teams and staff often don’t even know what kind of databases are in their possession, creating a risk that a server will become exposed. However, lack of awareness is hardly a reason not to hold businesses accountable for lax security.
“Whenever a company is hacked, they will bear the impact financially, reputationally, and depending on other circumstances, executives or boards can be held liable with civil, even possibly criminal, charges. We have now seen this play out across a range of sectors and industries,” Dargan said.
Another reason why companies may leave databases with personal information open is poor access management. Joel Burleson-Davis, former Chief Technology Officer at cybersecurity company SecureLink, thinks that organizations often fail to implement strict criteria that determine who has what level of access, leading to credential multiplication and increased access to a database.
“I can imagine a scenario like this one, where access control is gradually loosened on a dataset because multiple parties need it for different reasons over time. Without a good inventory of systems and datasets, including who has access to what and why and for how long, many critical systems eventually end up as just open or unsecured,” Burleson-Davis explained.
The damage is twofold, as breached companies suffer along with customers. An unprotected database can spell disaster for a business’s reputation and may cost hundreds of thousands in downtime and litigation.
Customers who have had their information stolen are forced to deal with an increased risk of cyberattacks. While securing breached accounts can be a nuisance, affected customers reusing passwords may be more prone to cyberattacks that can lead to financial loss.
More from Cybernews:
Subscribe to our newsletter