Cybercriminals obtain data of 2M customers leaked by delivery company


The delivery company has leaked information about deliveries and the home addresses of millions of its customers.

On January 15th, the Cybernews research team discovered a publicly accessible Google Cloud Storage Bucket belonging to Paxel, an Indonesian shipping company. Paxel provides local and intercity delivery services, smart lockers, bulk delivery, snack stores, and waste treatment services.

The open bucket contained multiple MySQL and MongoDB database backups from 2023. The databases contained a tremendous amount of personal data related to the deliveries of 2 million people, including highly sensitive information such as home addresses and signatures.

ADVERTISEMENT

The databases also contained Paxel account balances, pictures of delivered parcels, and private messages between the company’s staff and the parcels’ receivers.

Full list of leaked data:

  • Customers’ names
  • Phone numbers
  • Email addresses
  • Home addresses
  • Dates of birth
  • Signatures
  • Usernames
  • Passwords hashed with bcrypt hashing algorithm
  • Customers’ phone models
  • MAC address information
  • Amount of on-platform credit
  • List of orders
  • Names of ordered products
  • Amounts spent on orders
  • Chat messages between Paxel’s staff and the customers
  • Pictures of delivered packages
  • Codes used for retrieving orders in pick-up point lockers

The leaked data has already been exploited by threat actors, with researchers finding that backups were shared on a hacker forum in July 2023. It shows that the company failed to identify the leak for more than six months after malicious actors got hold of the data.

Malicious actors could use the immense amount of leaked data for spam, phishing attacks, doxxing, fraud, or identity theft, especially as customer signatures were leaked.

It’s not the first time that the Jakarta-based company has leaked customers’ data. In 2020, over 800,000 of Paxel’s users were affected by a data leak. The company has not publicly disclosed the data leak.

Cybernews has contacted the company, and access to the bucket was closed. An official comment on the matter is yet to be received.

Gateway to internal systems

ADVERTISEMENT

The leak has not put customer deliveries at threat, as the leaked data was from 2023 and not in real-time. Nonetheless, the databases did include accounts of Paxel’s administrators and employees, which could potentially empower attackers to target the company’s internal systems.

The takeover of internal systems could result in exfiltrating more up-to-date or sensitive information, launching malicious payloads, or injecting malicious code into the company’s systems and putting its users at risk.

The leaked databases also contained hashed passwords, which could be used for account takeovers or credential-stuffing attacks. Although the hashing algorithm currently employed is robust, many threat actors adopt a strategy of 'save now, crack later.' This means that even though hashed passwords are not immediately crackable, they still represent a potential threat in the future.