A brand, best known for its lion roaring for over a century, has leaked access to its user data in Peru.
And while the country is not that big of a market for the car maker, this discovery is yet another example of how big and well-known brands fail to secure sensitive data.
On February 3rd, the Cybernews research team discovered an exposed environment file (.env) hosted on the official Peugeot store for Peru.
The exposed file contained:
Combined, the leaked information could be used to compromise the dataset and the website.
Judging from its username, MySQL was used to store user information. The company has also leaked the credentials needed to access the dataset. An attacker could use this data to log in, exfiltrate, or modify the dataset’s contents.
The passphrase for JWT, an industry standard used to share information between two entities, was very weak and easily guessable. The private certificate, used in combination with the passphrase, was also stored on the same server.
The leaked Symphony application secret could have been used to decrypt previously encrypted data such as user cookies and session IDs. If exposed, such information could enable the threat actor to impersonate a victim and access applications illegitimately.
The link to the git repository could be used in social engineering attacks against the platform developers to gain access to the repository, and in turn, steal the source code of the site.
“The way the environment file was configured also shows a lack of expertise and understanding of how to develop applications securely. User information from a breach like this is very valuable to malicious actors, as car owners or future car owners are more likely to have more savings and are therefore a bigger target for malicious actors,” Cybernews researchers said.
If you want to know how big the impact of the data leak is, give a look at the original post at
About the author: Jurgita Lapienytė, Chief Editor at CyberNews
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Peugeot)