DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Informed of a data leak in July, Brazilian integrator platform continued to expose more than 1.75 billion files

Posted on October 14, 2021 by Dissent

Updated at 11:11 am:  DataBreaches.net has been informed the data have been secured.

Remember when the Brazilian government complained about Raid Forums for posting so many leaks and data dumps from Brazil?  If this one ever shows up on Raid Forums, they will probably go nuts.

Safety Detectives reports:

The Safety Detectives cybersecurity team, led by Anurag Sen, uncovered a critical data leak affecting the Brazilian Marketplace Integrator platform Hariexpress.com.br.

According to the company’s website, Hariexpress integrates several eCommerce marketplaces into a single platform, allowing traders to organize and automate processes across all of their different online stores.

Hariexpress’ misconfigured ElasticSearch server exposed a huge amount of eCommerce customers’ and platform users’ PII.

The last time we checked Hariexpress’ server to verify its status, it had exposed over 1.75 billion records and 610+ GB of sensitive data. It was probably higher by the time it got secured.

Notice that last sentence.

Read more on Safety Detectives.  There’s a lot of details in their report that will be of interest, but what I really picked up on (of course!) was the difficulty they experienced with responsible disclosure.  They wrote, in part:

Hariexpress’ ElasticSearch server was live and being updated at the time of discovery. The server was apparently exposed on the internet from May 12th, 2021, and the Safety Detectives cybersecurity team discovered it over a month later.

The information in the database was in Portuguese which prolonged our investigation. We reached out to Hariexpress regarding the company’s server on July 1st, 2021, receiving a reply on July 5th, 2021. A Hariexpress employee asked for our contact number but was unreachable thereafter. On July 8th, we contacted Brazilian CERT, who stated they weren’t in charge of such disclosure.

When DataBreaches.net contacted Anurag to find out when the firm locked down the data because we didn’t see the date in their report, we learned that the server was still unsecured and the data had grown to more than 1.3 TB of data.

Because the data were still exposed, DataBreaches.net delayed publication while trying to give Hariexpress one more chance to lock down the data before this site went public. (We suspect that other news outlets did not realize that the data were still exposed when they reported on SafetyDetective’s report).

Despite giving them more time, Hariexpress did not lock down their data. Even when SafetyDetective’s report was picked up by Brazilian media, Hariexpress absurdly claimed that it was  “finding the facts” with the IT sector (information technology), “to understand the magnitude of what happened”. “We are committed to clarifying the facts and correcting the exposed flaws.”  That’s a machine translation.

Finding the facts? You had your elastic search wide open to the public and search engines.  What other “facts” do you need to understand? The researchers gave you their phone number on July 5 and you never contacted them.

DataBreaches.net is not publishing the IP address, but Harieexpress has been exposing consumer data for more than three months after they were first contacted by researchers to alert them to the problem. Considering how embarrassing some orders might be for some consumers (see, for example, the penis pump order that SafetyDetectives redacted), someone should be yelling at Hariexpress.com.br to secure their data.

Updated and corrected at 11:11 am to remove last paragraph that stated that the data were still exposed. According to the original researcher, the data were secured by the early hours of this morning.

Related posts:

  • TeamGhostShell posts “master list” of 548 leaks (so far)
  • Japanese medical online consultation site leaking consumer-submitted images of symptoms
Category: Business SectorExposureNon-U.S.

Post navigation

← Williamsville School employees’ private health data inadvertently leaked by Independent Health
Za: Hacker found guilty of fraud after email swindle →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.