Elasticsearch server with no password or encryption leaks a million records

POS and online ordering vendor StoreHub offered free Asian info takeaways


Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

Safety Detectives wrote that full names, phone numbers, physical addresses, email addresses, and even device types were among the exposed data.

Customers’ orders, plus the locations they ordered from and the times at which they ordered, were also open to the world. Safety Detectives asserts that order details included “partially masked credit card information.”

Information about StoreHub users’ staff was also exposed.

So were access tokens that could allow miscreants to alter users’ StoreHub-powered sites.

Safety Detectives’ post says it found the exposed server on January 12th and promptly reported it, then followed up – but StoreHub did not respond. On January 27th the security company decided to contact StoreHub’s host – AWS – and Malaysia’s Computer Emergency Response Team. The server was secured by February 2nd.

A statement from StoreHub sent to The Register disputes Safety Detectives' timeline - the company says it was alerted on February 3rd - but does not dispute the existence of the unsecured server.

"Upon being informed of the occurrence on an Amazon Web Services (AWS) Elasticsearch instance, StoreHub took immediate action to patch and rectify the vulnerability within 24 hours." The company also revoked tokens in the dataset.

The company conducted an investigation it states revealed "that no sensitive financial data or passwords were contained in the vulnerability." The statement is silent on whether the exposed data was accessed.

StoreHub has now engaged a security consultancy to "verify and prevent future potential vulnerabilities" and has pledged to do much better in future.

Safety Detectives has generously described the cause of this mess as a “misconfigured” server.

Malaysian law may be less lenient, as it provides for substantial fines for non-compliance with data protection laws.

StoreHub could also find itself in trouble beyond its home country, as it operates across several South-East Asian nations. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022