DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Informed of a data leak in July, Brazilian integrator platform continued to expose more than 1.75 billion files

Posted on October 14, 2021 by Dissent

Updated at 11:11 am:  DataBreaches.net has been informed the data have been secured.

Remember when the Brazilian government complained about Raid Forums for posting so many leaks and data dumps from Brazil?  If this one ever shows up on Raid Forums, they will probably go nuts.

Safety Detectives reports:

The Safety Detectives cybersecurity team, led by Anurag Sen, uncovered a critical data leak affecting the Brazilian Marketplace Integrator platform Hariexpress.com.br.

According to the company’s website, Hariexpress integrates several eCommerce marketplaces into a single platform, allowing traders to organize and automate processes across all of their different online stores.

Hariexpress’ misconfigured ElasticSearch server exposed a huge amount of eCommerce customers’ and platform users’ PII.

The last time we checked Hariexpress’ server to verify its status, it had exposed over 1.75 billion records and 610+ GB of sensitive data. It was probably higher by the time it got secured.

Notice that last sentence.

Read more on Safety Detectives.  There’s a lot of details in their report that will be of interest, but what I really picked up on (of course!) was the difficulty they experienced with responsible disclosure.  They wrote, in part:

Hariexpress’ ElasticSearch server was live and being updated at the time of discovery. The server was apparently exposed on the internet from May 12th, 2021, and the Safety Detectives cybersecurity team discovered it over a month later.

The information in the database was in Portuguese which prolonged our investigation. We reached out to Hariexpress regarding the company’s server on July 1st, 2021, receiving a reply on July 5th, 2021. A Hariexpress employee asked for our contact number but was unreachable thereafter. On July 8th, we contacted Brazilian CERT, who stated they weren’t in charge of such disclosure.

When DataBreaches.net contacted Anurag to find out when the firm locked down the data because we didn’t see the date in their report, we learned that the server was still unsecured and the data had grown to more than 1.3 TB of data.

Because the data were still exposed, DataBreaches.net delayed publication while trying to give Hariexpress one more chance to lock down the data before this site went public. (We suspect that other news outlets did not realize that the data were still exposed when they reported on SafetyDetective’s report).

Despite giving them more time, Hariexpress did not lock down their data. Even when SafetyDetective’s report was picked up by Brazilian media, Hariexpress absurdly claimed that it was  “finding the facts” with the IT sector (information technology), “to understand the magnitude of what happened”. “We are committed to clarifying the facts and correcting the exposed flaws.”  That’s a machine translation.

Finding the facts? You had your elastic search wide open to the public and search engines.  What other “facts” do you need to understand? The researchers gave you their phone number on July 5 and you never contacted them.

DataBreaches.net is not publishing the IP address, but Harieexpress has been exposing consumer data for more than three months after they were first contacted by researchers to alert them to the problem. Considering how embarrassing some orders might be for some consumers (see, for example, the penis pump order that SafetyDetectives redacted), someone should be yelling at Hariexpress.com.br to secure their data.

Updated and corrected at 11:11 am to remove last paragraph that stated that the data were still exposed. According to the original researcher, the data were secured by the early hours of this morning.

No related posts.

Category: Business SectorExposureNon-U.S.

Post navigation

← Williamsville School employees’ private health data inadvertently leaked by Independent Health
Za: Hacker found guilty of fraud after email swindle →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges
  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.