[German]German online shop windeln.de operated an insecure Elastic-Search server so that the personal data of 700,000 customers could be accessed via Internet. Here are details what I know so far (what the security researcher has told me).
The provider windeln.de sells all kinds of things for young parents in its online store and probably also offers a diaper subscription.
The vender windeln.de was founded in 2010 and, according to its own statement, has developed into one of the leading online retailers for baby and children’s products in Europe. The company operates a successful cross-border e-commerce business with customers in China. The product spectrum ranges from diapers and baby food, children’s furniture, toys and clothing to baby phones and car seats as well as cosmetic and partnership products for parents.
The parent company claims to serve about 700,000 customers with 40 different brands in 7 countries. In 2019 windeln.de achieved a turnover of 82 million euros and is currently listed on the Frankfurt Stock Exchange. On the website, a seal of Trusted Shop is emblazoned and on the data protection page the visitor learns that the operators take data protection very, very seriously.
Data leakage through unsecured server
A SafetyDetectives security team led by Anurag Sen recently discovered a vulnerable and unsecured server with more than 6 terabytes of data, operated by the German company windeln.de, which was freely accessible via the Internet. Specifically, the open server was discovered on June 13, 2020, but it is estimated that the server was freely accessible via the Internet since June 11, 2020.
The ElasticSearch server and its vulnerability were discovered during a routine scan of IP addresses on certain ports. The security team determined that the server was completely unsecured and publicly accessible without a password. This meant that anyone in possession of the server’s IP address could access the entire database.
The security researchers tried to contact Windeln.de, but no one ever contacted the researchers. They then contacted the German CERT so they could inform the company about the data leak. A few days later the server was secured.
What is affected by the data leak?
The unsecured ElasticSearch server contained relevant API protocols from the company’s web and mobile sites, exposing all information from the production server. In total, more than 6 billion records (over 6.4 TByte of data) were discovered on a server in France. The security researchers classify the situation as critical (6 out of 10 points). The team found that different ports allowed access to different data tranches.
In total, the database contained more than 6 billion records. The database is a production server that stored data from May 24, 2020 to the present day and contained “backlog” information including API and internal logs with user/customer details. Here is the information that was available on the server of windeln.de
- Full names
- E-mail addresses
- Complete postal addresses
- Phone numbers
- IP addresses
- Windeln.de newsletter subscriber list
- Order and purchase details
- Payment methods (without payment information)
- Information about the children of users, including their names, dates of birth and gender
- Amazon OAuth API logon token
- Authentication token
- Partial listing of hashed passwords
- Internal protocols with various employee details
In addition, there were protocols that refer to the Spanish sister website and the brand Bebitus.com. This data also included tokens for website user accounts. The logs often referred to other website brands, such as windeln.com.cn and windeln.ch.
The security team found approximately 98,000 entries, including emails, full names and user IP addresses, although some entries were missing, duplicate or invalid. Crucial – and increasing the risk posed by the leak – was stored information relating to children whose parents were using the site. The records contained full names, dates of birth and gender information. Information about children is particularly sensitive because cyber criminals could exploit the parent-child relationship to commit fraud.
Approximately 1,500 records contained emails, full names, phone numbers, addresses, payment methods, order dates, product information, customer ID and language preferences, but the security team found that the open database generally contained only partial records, so not all information was available to all users. However, about 128,000 cases of disclosed personal information including subscription status, e-mail addresses, full names, IP addresses and order history were found from the entire windeln.de website network. Overall, it is difficult to clarify the exact number of affected persons (there are 700,000 customers). For some users, all data was exposed (as listed above), while others were only affected to a certain extent (probably because they did not provide all their personal data when registering and shopping at windeln.de).
In the meantime the data leak has been closed. It is unclear whether the affected persons have been informed by the operators – and I have no knowledge so far whether the data protection authority has been informed. In any case, the process is relevant to DSGVO. The security report with the details will be available here after the publication of this exclusive article.