The leaked dataset contained personal information, such as emails, phone numbers, names, and poorly protected passwords, exposing customers to identity theft and credential-stuffing attacks.
On September 20, the Cybernews research team discovered an unprotected 18.2GB-strong database hosted by AWS in the US. Researchers were able to attribute the instance to an Indian online retailer Highrich.
Highrich calls itself a dynamic e-commerce website that provides “an array of genuine and quality products.” Its website gets 50,000 monthly visits.
The open database contained over 200,000 personal information entries, including emails, phone numbers, and encrypted passwords. However, passwords were protected with a very weak hashing algorithm MD5.
It’s one of the oldest algorithms out there, disregarded for over a decade. It proved to show a high chance of collisions and is generally easy to dehash for anyone intending to view the original password.
The discovered database also contained 470,000 entries of order information: emails, customer IDs, names, physical addresses, and ordered items.
It also held one-time password (OTP) logs that could allow attackers to monitor the database and bypass two-factor authentication.
“We discovered vast amounts of information stored on each customer. It could be used for identity theft and credential stuffing. Threat actors could make use of the order information for stalking,” said Aras Nazarovas, a Cybernews researcher.
The dataset is now closed. We’ve reached out to High Rich for more information on what precautions have been taken to avoid similar leaks in the future and whether they are planning to switch to a stronger encryption protocol. They are yet to reply.
Retail is a top target for ransomware and data-theft, multiple reports reveal. E-commerce have complex, distributed IT environments, including point-of-sale devices, a relatively transient and non-technical workforce, and access to a wide range of personal and financial customer data.
Many online retailers and other companies collect vast amounts of user data, which might include your physical address, or even your children’s names and birthdays. Make sure you never share sensitive information, including IDs, with anyone, don’t store credit card details, and edit your privacy settings on social media. Make sure you never use the same password across accounts or devices, no matter how strong it might be – some companies barely protect them, and attackers could hack into your other accounts as well.
Co-founder of encryption-as-a-service provider Vaultree, Tilo Weigandt, believes that lack of good cybersecurity training is often one of the biggest mistakes companies make.
“The first line of defense for organizations to stop some attacks is to simply educate employees about the dangers of clicking on links. Insider threats are the biggest cybersecurity risk when there are internal security gaps,” he told Cybernews.
However, to err is human, so the second line of defense is even more important.
“Companies are relying too much on patching security gaps and the usage of tools in areas such as API and app security or threat detection. They are important indeed, but encryption is neglected in most cases and outdated – traditional technologies being used nowadays don't suffice anymore to combat cyber threats,” Weigandt said.
Protecting passwords with MD5 or SHA-1 is a stellar example of poor encryption practices. A lot of companies value efficiency and productivity over security, said Tom Kirkham, founder, CEO and CISO of Kirkham.IT and IronTech Security. In many cases, the reason a breach happens is because it is an inside job, or an employee’s login information was stolen.
“The consequences stemming from theft of an unprotected dataset containing private data are catastrophic. Private data could be used for identity theft purposes, spear-phishing attacks, to impersonate customers, and so on. The resulting loss in revenue and lack of trust from clients is devastating,” Kirkham said.
More from Cybernews:
Subscribe to our newsletter