A Walmart jewelry partner that manages Amazon (S3) Simple Storage Service bucked, has exposed its 1.3 million customers’ personal data and contact information. The sensitive information was exposed to the public Internet.
The S3 storage that includes an MSSQL database backup is a property of MBM company which operates the jewelry market under the name Limoges Jewelry. Limoges Jewelry is based in Chicago, IL.
Kromtech Security firm has discovered the publicly accessible bucket with sensitive information. The accessible data included names, physical and e-mail addresses, zip codes, phone numbers, IP addresses, and also accounts passwords of more than 1.3 million US and Canadian customers of the company.
Kromtech Security provided users with the main information:
The negligence of leaving a storage bucket open to the public after the publication of so many other vulnerable Amazon s3 buckets is simple ignorance. Furthermore, to store an unprotected database file containing sensitive customer data in it anywhere directly online is astonishing, and it is completely unfathomable that any company store passwords in plain text instead of encrypting them.
According to security expert and head of communications at Kromtech Security, Bob Diachenko, it looked that the exposed information belonged to Walmart because the name of storage bucket was ‘walmartsql’. However, the further investigation’s details linked it to MBM Company.
Upon analyzing the content of bucket we’ve come to the conclusion that [these] were all MBM customers. However, it is unknown whether they’ve been accessing MBM inventory via Walmart platform (or other partner sites) or directly via Limogés Jewelry site.
Threatpost indicated that there is no actual evidence that hackers have accessed the open storage bucket. In similar cases, just like MongoDB or CouchDB incidents, ransom notes were left, however, in this case, there was nothing left behind. Even though it does not mean that no one accessed the exposed data.
The data was publicly accessible since January 13, 2018.
In addition, there was mentioned in the report that the database also contained data for other retailers, such as HSN, Amazon, Sears, Target, and Overstock.
It also contained internal MBM mailing lists, encrypted credit card details, payment details, promo codes, and item orders, which gives the appearance that this is the main customer database for MBM Company Inc. Records were seen with dates ranging from 2000 to early 2018.
According to the Kromtech, Walmart was notified about the publicly accessible Amazon S3 bucker immediately after it was discovered.
However, Walmart was not able to comment on the incident; MBM Company did not respond to Kromtech inquiries.