It’s been one of those weeks when I struggle to keep up with all of the tips and leads I’m sent. One of the leads, received yesterday morning, pointed me to a post on Pastebin with what purported to be a “Link to Download Order History – Netshoes.com – ˜500k records.”
The link did, in fact, lead to a data dump with 500,050 records in it. And although there were no table headers, the data appeared to include the customers’ name, email address, date of birth, order number, item number, price, and information on method of payment. There were no postal or shipping addresses in this particular table.
DataBreaches.net attempted to contact the etailer through their site, but after several attempts to send them a message appeared to fail for reasons that were not obvious and that didn’t translate easily, I gave up. The site has a “site seguro” assurance for certisign, but I saw no https: or special security on the cart of payment page.
DataBreaches.net sent email inquiries to several names in the database. One of the inquiries bounced back as host unknown, but none of the others bounced back. Then again, none of the others actually responded to confirm whether they had been customers of Netshoes at the relevant time. Tecmundo, who was also made aware of the data dump, reports that one of their reporters’ data was in the dump and that it appeared to be accurate.
By yesterday afternoon, the pastebin post was gone, as was the data dump.
Tecmundo was able to get a statement from Netshoes:
” A Netshoes afirma que não foram identificados quaisquer indícios de invasão aos sistemas da empresa e adotou todas as diligências para apurar a possível origem das informações. A Companhia reforça que tais dados não incluem informações bancárias, de cartões de crédito, ou senhas de acesso, e reitera o compromisso com a segurança de seus ambientes tecnológicos, a fim de garantir a proteção das informações de sua base de consumidores “.
Translation: ” Netshoes asserts that no indications have been identified of an invasion of the company’s systems and have taken every effort to determine the possible origin of the information.The Company emphasizes that such data does not include bank, credit card, or passwords, and reiterates its commitment to the security of its technological environments in order to ensure the protection of the information of its consumer base . ”
When asked about the incident, “DFrank,” who had posted it to Pastebin and who had contacted DataBreaches.net, told this site something similar to what s/he told Tecmundo, saying, “It is an alert for people who are buying at Nethsoes (sic), they say their systems are safe, as we know now, their systems are not safe as they say.” To Tecmundo, s/he added that a fuzzing technique was used to gain access to the data.
DFrank did not respond directly to this site’s question as to whether Netshoes had been hit with any ransom or extortion demand as part of the incident. Nor do we know at the present time whether there are other data that have been acquired from Netshoes. In light of Netshoes’ denials that they have found any evidence of an intrusion, I guess we’ll just have to wait for more proof from DFrank or an updated statement from Netshoes.