[BreachExchange] Security Mishap at Kids’ Luxury Fashion E-Store Exposed Personal Information of 200,000 Shoppers

[Terrell Byrd]

https://www.bitdefender.com/blog/hotforsecurity/security-mishap-at-kids-luxury-fashion-e-store-exposed-personal-information-of-200-000-shoppers/

In February, researchers at SafetyDetectives disclosed a data breach
impacting French e-commerce platform Melijoe. According to investigators,
the high-end children’s fashion retailer failed to secure an Amazon S3
bucket, exposing approximately 2 million files, weighing in at 200GB.

What was exposed?
Upon access, researchers were able to view tens of thousands of logs
containing sensitive data and personally identifiable information (PII) of
around 200,000 Melijoe shoppers from France, Germany, the UK, the US and
Russia. The leaked data included:

· Preferences data sets exposing email addresses, children’s names,
genders, date of birth and brand preferences

· Wishlists data sets exposing over 63,000 unique email addresses, date
products were added to wishlists, date of any removed products and item
codes

· Purchase data sets exposing over 150,000 unique email addresses and
purchase information such as ordered items’ SKU code, time of placed order,
prices and currencies, payment methods, delivery addresses, date of
delivery and billing addresses with full names and phone numbers

“Purchases data seemingly affected the largest number of users compared to
the other two datasets,” investigators said.

“These logs extensively detail the purchasing behavior of Melijoe
customers. Again, this reveals private information which could be used
against consumers. Some customers purchased a large number of products,
while other customers bought just one or two items. As with wishlists,
customers who ordered more items had more information exposed about their
favored products.”

Breach timeline and impact
Investigators said they discovered the misconfigured server on Nov. 12,
2021. After failing to reach melijoe.com several times, the team contacted
the French Computer Emergency Response Team (CERT) and AWS to disclose
their findings.

The Amazon S3 bucket was secured on Feb. 18, 2022. Although
SafetyDetectives could not confirm if any malicious actors had accessed the
files before Feb.18, customers are advised to be wary of phishing attacks
mimicking official Melijoe correspondence.

“Hackers could reference any one of several exposed details to build a
narrative around the email,” the investigators added. “For example, the
hacker could reference a person’s preferences/wishlist to convince the
customer they’re being offered a deal. The hacker may convince the victim
to disclose their credit card credentials, for example, or click on a
malicious link. Once clicked, such links can download malware onto the
victim’s device—malicious software that allows hackers to conduct other
forms of data collection and cybercrime.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220301/3869cf08/attachment.html>