Updated at 11:11 am: DataBreaches.net has been informed the data have been secured.
Remember when the Brazilian government complained about Raid Forums for posting so many leaks and data dumps from Brazil? If this one ever shows up on Raid Forums, they will probably go nuts.
Safety Detectives reports:
The Safety Detectives cybersecurity team, led by Anurag Sen, uncovered a critical data leak affecting the Brazilian Marketplace Integrator platform Hariexpress.com.br.
According to the company’s website, Hariexpress integrates several eCommerce marketplaces into a single platform, allowing traders to organize and automate processes across all of their different online stores.
Hariexpress’ misconfigured ElasticSearch server exposed a huge amount of eCommerce customers’ and platform users’ PII.
The last time we checked Hariexpress’ server to verify its status, it had exposed over 1.75 billion records and 610+ GB of sensitive data. It was probably higher by the time it got secured.
Notice that last sentence.
Read more on Safety Detectives. There’s a lot of details in their report that will be of interest, but what I really picked up on (of course!) was the difficulty they experienced with responsible disclosure. They wrote, in part:
Hariexpress’ ElasticSearch server was live and being updated at the time of discovery. The server was apparently exposed on the internet from May 12th, 2021, and the Safety Detectives cybersecurity team discovered it over a month later.
The information in the database was in Portuguese which prolonged our investigation. We reached out to Hariexpress regarding the company’s server on July 1st, 2021, receiving a reply on July 5th, 2021. A Hariexpress employee asked for our contact number but was unreachable thereafter. On July 8th, we contacted Brazilian CERT, who stated they weren’t in charge of such disclosure.
When DataBreaches.net contacted Anurag to find out when the firm locked down the data because we didn’t see the date in their report, we learned that the server was still unsecured and the data had grown to more than 1.3 TB of data.
Because the data were still exposed, DataBreaches.net delayed publication while trying to give Hariexpress one more chance to lock down the data before this site went public. (We suspect that other news outlets did not realize that the data were still exposed when they reported on SafetyDetective’s report).
Despite giving them more time, Hariexpress did not lock down their data. Even when SafetyDetective’s report was picked up by Brazilian media, Hariexpress absurdly claimed that it was “finding the facts” with the IT sector (information technology), “to understand the magnitude of what happened”. “We are committed to clarifying the facts and correcting the exposed flaws.” That’s a machine translation.
Finding the facts? You had your elastic search wide open to the public and search engines. What other “facts” do you need to understand? The researchers gave you their phone number on July 5 and you never contacted them.
DataBreaches.net is not publishing the IP address, but Harieexpress has been exposing consumer data for more than three months after they were first contacted by researchers to alert them to the problem. Considering how embarrassing some orders might be for some consumers (see, for example, the penis pump order that SafetyDetectives redacted), someone should be yelling at Hariexpress.com.br to secure their data.
Updated and corrected at 11:11 am to remove last paragraph that stated that the data were still exposed. According to the original researcher, the data were secured by the early hours of this morning.