Kickstarter star leaks over half a million records with clients' data

Over half a million records with clients' data and a decade's worth of support tickets have been publicly exposed and likely accessed by threat actors after a US accessories maker forgot to set a password.

Peak Design, a California-based manufacturer and retailer of bags and accessories for travelers and photographers, exposed its clients' private data to anyone on the internet.

The company is known for a dozen crowdfunding campaigns and a strong Kickstarter community, which helped successfully raise nearly $36 million to fund the creation of its award-winning product designs.

Peak Design data leak
Elasticsearch instance indices

The leaked data included:

  • Customer email addresses
  • Home addresses
  • Order information
  • Shipment tracking codes
  • Customer support inquiries

On April 25th, the Cybernews research team identified the leak and informed the company. While the data appeared on search engines on April 24th, the leaked support tickets span nearly a decade from June 2014 to May 2023, magnifying the scope of the leak.

The data leak was caused by a publicly accessible Elasticsearch instance. Elasticsearch is an open-source search engine for searching and analyzing large amounts of data on websites or systems.

Peak Design data leak
Customer support tickets list

Access to the Elasticsearch servers should never be exposed to the public web without proper authentication, as it is a common target for threat actors preying on user data. Ransomware bots, especially, target poorly secured instances and wipe data.

That was exactly the case with Peak Design. Cybernews researchers found a ransom note on the company’s systems, indicating it was likely accessed by the threat actor at least once.

Peak Design data leak
Ransom note

The note, left by a ransomware bot, stated that the data was backed up and demanded 0.057 (around $3940) in Bitcoin. Otherwise, they would publicly release and delete the customer data.

Although the information in the instance was not updated in real-time, thus not posing a direct threat to the shipment of products, the leaked personal data of customers remains a huge cause of concern. It could potentially be sold and used by gray market marketing agencies, data brokers, and spammers, as well as used for phishing or doxxing attacks.

After the disclosure, the company secured access to the data. An official response has yet to be received.

Updated: The discovery date of the leak was corrected from March 25th to April 25th.

peak design leak 3
Customer support ticket including shipment tracking information, shipping addresses, email addresses

More from Cybernews:

Microsoft develops AI model for predicting extreme weather

Trump boasts nearly 4M followers one day after joining TikTok

Thousands of Heineken employees affected in alleged data breach

Spotify is once again hiking prices in the US 

Millions of Americans’ home addresses allegedly exposed 

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked