Kickstarter star leaks over half a million records with clients' data

Updated on: June 04, 2024 12:04 PM
Peak Design
Image by Cybernews

Over half a million records with clients' data and a decade's worth of support tickets have been publicly exposed and likely accessed by threat actors after a US accessories maker forgot to set a password.

Peak Design, a California-based manufacturer and retailer of bags and accessories for travelers and photographers, exposed its clients' private data to anyone on the internet.

The company is known for a dozen crowdfunding campaigns and a strong Kickstarter community, which helped successfully raise nearly $36 million to fund the creation of its award-winning product designs.

ADVERTISEMENT
Peak Design data leak
Elasticsearch instance indices

The leaked data included:

  • Customer email addresses
  • Home addresses
  • Order information
  • Shipment tracking codes
  • Customer support inquiries

On April 25th, the Cybernews research team identified the leak and informed the company. While the data appeared on search engines on April 24th, the leaked support tickets span nearly a decade from June 2014 to May 2023, magnifying the scope of the leak.

The data leak was caused by a publicly accessible Elasticsearch instance. Elasticsearch is an open-source search engine for searching and analyzing large amounts of data on websites or systems.

Peak Design data leak
Customer support tickets list

Access to the Elasticsearch servers should never be exposed to the public web without proper authentication, as it is a common target for threat actors preying on user data. Ransomware bots, especially, target poorly secured instances and wipe data.

That was exactly the case with Peak Design. Cybernews researchers found a ransom note on the company’s systems, indicating it was likely accessed by the threat actor at least once.

ADVERTISEMENT
Peak Design data leak
Ransom note

The note, left by a ransomware bot, stated that the data was backed up and demanded 0.057 (around $3940) in Bitcoin. Otherwise, they would publicly release and delete the customer data.

Although the information in the instance was not updated in real-time, thus not posing a direct threat to the shipment of products, the leaked personal data of customers remains a huge cause of concern. It could potentially be sold and used by gray market marketing agencies, data brokers, and spammers, as well as used for phishing or doxxing attacks.

After the disclosure, the company secured access to the data. An official response has yet to be received.

Updated: The discovery date of the leak was corrected from March 25th to April 25th.

peak design leak 3
Customer support ticket including shipment tracking information, shipping addresses, email addresses


ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Starlink terminals disrupted for Russian military on frontline
The cyber game is on: whoever wins will dominate the Earth
Chances of asteroid hitting Earth nearly doubles
Leaker gives a glimpse at what Apple’s first foldable smartphone could look like
Malicious AI models infiltrating Hugging Face via ‘bad Pickles’
New leads in the endless quest to unmask Satoshi Nakamoto
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked