At the time of publishing this article, the data was still exposed and growing as there has been no response from Hariexpress.
The Brazilian E-commerce Marketplace Integrator platform Hariexpress (Hariexpress.com.br) has been caught exposing a massive trove of sensitive data belonging to its customers and vendors.
In total, the company has exposed more than 610 GB worth of data containing over 1.75 billion (1,751,023,279) records without any security authentication.
Launched in 2018; Hariexpress integrates eCommerce marketplaces into a single platform to automate processes across different online stores.
It is worth noting that this massive exposure has been caused by a misconfigured Elasticsearch server. This means anyone with knowledge of exploiting the misconfigured Elasticsearch servers can access these records without the need for login credentials.
SEE: Personal & banking data of 120 million Brazilians leaked online
The incident was originally identified by team cybersecurity researchers at Safety Detectives led by Anurag Sen. According to their blog post, the exposed records include information on both customers and vendors (businesses using the Hariexpress platform). For instance, when it comes to customers, the content of the exposed data includes:
- Images
- Full names
- Usernames
- Email addresses
- Phone numbers
- Billing details including billing addresses.
For vendors, the misconfigured Elasticsearch server is currently exposing highly sensitive and personal records including the following:
- Full names
- CPF numbers
- Billing details
- Phone numbers
- Email addresses
- Home addresses
- Business addresses
- CNPJ numbers (National Register of Brazilian business)
Moreover, researchers noted in their blog that Hariexpress also exposed its internal username and encrypted passwords to public access. According to researchers, they identified the data on May 12th, 2021, and based on their analysis it was exposed to the public for more than a month.
What’s worse is that the company is yet to secure the data, while Brazilian Computer Emergency Readiness Team (BR CERT) also refrained from taking any steps to secure the data.
Consequently, at the time of publishing this article, Hackread.com can confirm that the entire Elasticsearch cluster was still exposed and available online for public access.
We are contacting ASRC which is the Alibaba cloud security team as the server is hosted on AliCloud-US. Hoping they will take it offline, Sen told Hackread.com.
If you are a customer with Hariexpress, it is time to get in touch with the company (although according to Google, they are “Temporarily Closed”) and enquire about the incident.
The fact that billions of records are currently open to public access could end up as a disaster for unsuspecting vendors and customers.
SEE: Brazil’s cosmetic giant Natura leaked 192 million records with payment data
Cybercriminals can use the data to carry out phishing scams, identity theft, and social engineering attacks, and competitors can use the data for corporate espionage.
Nevertheless, the data leak itself is a massive security threat to Hariexpress as hackers can hijack the entire Elasticsearch cluster to demand ransom or end up selling/leaking the data on hacker forums.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.