Slovenian retailer DFVU, known for brands like S-mania, Layoners, Mazzaci, and RedLynx, left its customers' private data open, exposing 1.1 million individuals and company administrators.
On November 20th, 2023, the Cybernews research team discovered an open web server hosting files with lots of sensitive data belonging to DFVU.
The web server had directory listing enabled. That means any outsider could access the website through a web browser and see a listing of all the files and subdirectories.
“The backups were not protected or restricted with contents visible to anyone, so the IoT search engines indexed them,” researchers explained.
The data was stored in multiple database backups from 2020. The leaked data contained the following:
- Personal information, such as names, addresses, email addresses, and phone numbers, belonging to 1,142,019 unique individuals.
- Credentials of 67 Administrator accounts. Passwords were hashed with MD5, an outdated and insecure algorithm. The information included the endpoints where credentials were used to authenticate. Cracked credentials, therefore, could be used to access specific resources.
- Operational information, such as addresses of warehouses or the providers that DFVU uses for facilitating deliveries.
- Credentials for multiple other resources on their network (host, username, password(SHA-1/SHA-128), user permissions).
“Order history was also present in the backup, including items purchased, prices paid, billing names and addresses, and IP addresses used during purchase. However, no customers' passwords were exposed, as the affected platforms do not use standard account systems,” researchers said.
The database backups mostly comprised of s-mania.com online store entries. The researchers also found some database entries related to the Layoners and RedLynx Brands, which also belong to DFVU.
The data-exposing URL’s name suggests that it was a subdomain used for development.
The e-commerce company DFVU is based in Mengeš, Slovenia. However, it serves customers from all over Europe. The company claims to employ almost 100 people and has fulfilled over 50 million orders. S-mania was the first DFVU project, which started before the company was founded in 2016.
After responsible disclosure by the Cybernews research team, the company revoked public access to the directory.
Cybernews reached out to DFVU for additional comments but received no immediate response. We will update the story if we learn more.
Bonanza for malicious hackers
Despite the leaked data being older, from 2020, it still holds value for cybercrooks seeking financial gain. Time after time, researchers reveal that users rarely change their credentials or contact information, leaving them vulnerable after each leak.
“If malicious actors were to grab the data first, they could use names, addresses, and contact information in combination with purchase information to target more than a million individuals. Big data sets are used for phishing, spam, identity theft, and spying campaigns. Hackers may also cross-check the information with other leaks to attempt to access accounts,” Cybernews researchers warn.
Directory listing and broken access control enabled our researchers to identify backup files. If the directory was accessed by malicious actors trying to gain access to the company’s infrastructure, the consequences could be severe.
DFVU’s endpoints were especially vulnerable, as leaked credentials posed the significant threat of malicious actors cracking passwords and deploying ransomware.
“Insecure MD5 hashes can be easily cracked with modern hardware to reveal passwords in plaintext. Once inside the systems, malicious actors could wreak havoc, launching malicious payloads, including ransomware, spying on the company and clients, and exfiltrating data,” researchers noted.
After the initial breach, attackers often seek to move laterally across the network, exploiting other found vulnerabilities.
Researchers recommended that the company disable directory listing on the affected web server, which DFVU later implemented.
“If something similar happens to you, make sure that the development environment can only be accessed from a trusted network, and revise the current access control policy to meet “least privilege” guidelines. Reset leaked credentials. Notify affected users,” our researchers concluded.
Any leaked credentials should be reset, with multi-factor authentication (MFA) enabled where possible.
More from Cybernews:
Subscribe to our newsletter