Data leak at online provider confirmed

 [German]The German online vendor operated an insecure server, so that the personal data of 700,000 customers could be accessed. After I reported about it here in the blog and the whole thing went further afield, the provider issued a press release about the incident.


The startup, founded in 2010, sells all kinds of stuff for young parents in its online store and probably also offers a diaper subscription. According to its own statement, the provider has developed into one of the leading online retailers for baby and children's products in Europe.

The company operates a successful cross-border e-commerce business with customers in China. The product spectrum ranges from diapers and baby food, children's furniture, toys and clothing to baby monitors and car seats as well as cosmetics and partnership products for parents. However, was also the victim of a data protection incident.

A security team of SafetyDetectives led by Anurag Sen recently discovered a vulnerable and unsecured server with more than 6 terabytes of data, operated by the German company, which was freely accessible over the Internet. Specifically, the open server was discovered on June 13, 2020, but it is estimated that the server was freely accessible via the Internet since June 11, 2020.

The ElasticSearch server and its vulnerability were discovered during a routine scan of IP addresses on certain ports. The security team determined that the server was completely unsecured and publicly accessible without a password. This meant that anyone in possession of the server's IP address could access the entire database.


The security researchers have tried to reach, but nobody has ever contacted the researchers. They then contacted the German CERT so they could inform the company about the data leak. A few days later the server was backed up. I had reported this on September 15, 2020 in the blog post Data leak at online shop – after the security researchers had informed me.

On September 16, 2020, issued a press release confirming the incident. In the text it says

Between June 10 and 23, 2020, data from some of our customers was temporarily stored on an unprotected server. The reason for this was an error during maintenance work, which has since been corrected. The data is now protected again.

Only customers who logged on to our website via the app or a browser between May 24 and June 23, 2020 are affected. The server serves as a cache, which automatically deletes the data every four weeks at the latest. Therefore, it is currently not possible for us to determine which and how many customers are affected.

As far as we know today, the server did not contain any information about means of payment – such as credit card numbers. However, there was data such as name, e-mail addresses, postal addresses, telephone numbers and the order history of affected users and in some cases the dates of birth and names of their children.

IT security experts outside our company had discovered the unsafe place. Whether unauthorized third parties had access to the data beyond this is currently unclear. We have initiated a comprehensive investigation and are working flat out to establish the facts with the help of external IT forensics experts.

"We very much regret this incident and apologize to all customers affected. We take the protection of user data very seriously. Now it is up to us to clarify the details, to learn from what has happened and to avert damage to affected customers as far as possible," said Matthias Peuckert, CEO of SE.

The company had learned about the insecure server from a tip from the German Federal Office for Information Security (BSI) and reacted immediately.

The provider SE wants to inform about the progress of their investigation. I leave it up to you to judge.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *