DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Netshoes customer data possibly hacked; 500k customers’ order info dumped?

Posted on December 8, 2017 by Dissent

It’s been one of those weeks when I struggle to keep up with all of the tips and leads I’m sent. One of the leads, received yesterday morning, pointed me to a post on Pastebin with what purported to be a “Link to Download Order History – Netshoes.com – ˜500k records.”

The link did, in fact, lead to a data dump with 500,050 records in it.  And although there were no table headers, the data appeared to include the customers’ name, email address, date of birth, order number, item number, price, and information on method of payment. There were no postal or shipping addresses in this particular table.

DataBreaches.net attempted to contact the etailer through their site, but after several attempts to send them a message appeared to fail for reasons that were not obvious and that didn’t translate easily, I gave up.  The site has a “site seguro” assurance for certisign, but I saw no https: or special security on the cart of payment page.

DataBreaches.net sent email inquiries to several names in the database. One of the inquiries bounced back as host unknown, but none of the others bounced back. Then again, none of the others actually responded to confirm whether they had been customers of Netshoes at the relevant time. Tecmundo, who was also made aware of the data dump, reports that one of their reporters’ data was in the dump and that it appeared to be accurate.

By yesterday afternoon, the pastebin post was gone, as was the data dump.

The dump of what appeared to be more than 500,000 Netshoes customers’ order info was removed.

Tecmundo was able to get a statement from Netshoes:

” A Netshoes afirma que não foram identificados quaisquer indícios de invasão aos sistemas da empresa e adotou todas as diligências para apurar a possível origem das informações. A Companhia reforça que tais dados não incluem informações bancárias, de cartões de crédito, ou senhas de acesso, e reitera o compromisso com a segurança de seus ambientes tecnológicos, a fim de garantir a proteção das informações de sua base de consumidores “.

Translation: ” Netshoes asserts that no indications have been identified of an invasion of the company’s systems and have taken every effort to determine the possible origin of the information.The Company emphasizes that such data does not include bank, credit card, or passwords, and reiterates its commitment to the security of its technological environments in order to ensure the protection of the information of its consumer base . ”

When asked about the incident, “DFrank,” who had posted it to Pastebin and who had contacted DataBreaches.net, told this site something similar to what s/he told Tecmundo, saying, “It is an alert for people who are buying at Nethsoes (sic), they say their systems are safe, as we know now, their systems are not safe as they say.” To Tecmundo, s/he added that a fuzzing technique was used to gain access to the data.

DFrank did not respond directly to this site’s question as to whether Netshoes had been hit with any ransom or extortion demand as part of the incident.  Nor do we know at the present time whether there are other data that have been acquired from Netshoes.  In light of Netshoes’ denials that they have found any evidence of an intrusion, I guess we’ll just have to wait for more proof from DFrank or an updated statement from Netshoes.

 

 

Category: Business SectorHackNon-U.S.

Post navigation

← Bittrex ‘Leaks’ User Passports In Support Emails, Says Russian Telegram Channel
Basic training in avoiding phishing is no longer sufficient →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.