Researcher found an unprotected Elasticsearch server owned by Aliznet

Researchers have found that a server at consulting firm Aliznet has not set up safeguards, so caused data from companies such as Yves Rocher, IBM, Salesforce, Sephora and Louboutin to be stolen.

The most affected by the incident was the beauty company Yves Rocher. “The biggest impacts will be felt by Aliznet, its client Yves Rocher, and the retail company’s end customers,” researchers said in a security alert posted Monday. It added: “The Aliznet leak has wider-reaching consequences than the impact on individual customers. The data breach impacts Aliznet’s clients who placed their trust in the company to protect their sensitive information. One concern is that Aliznet may have other unsecured databases and applications that haven’t been discovered yet. That means other clients of Aliznet may be at risk.”

The company’s 2.5 million Canadian customer personal data may have been disclosed, including the user’s name, contact details, date of birth, and postal code. There are more than 6 million orders for the company’s users, including transaction amount, delivery date, the currency of payment, location of the business, and the name and ID of the employee who processed the order. In addition, the company’s internal information may also be disclosed, including store traffic statistics, turnover, order volume, and information on more than 40,000 items. Hackers can also use the API interface of the Yves Rocher application to gain access to the API Explorer and tamper with multiple data.

Via: threatpost