Infosec researchers have uncovered an unsecured Elasticsearch database containing 1.3TB of web server log entries held by Chinese e-commerce website LightInTheBox.com.
LightInTheBox is a Chinese online retailer trading on the New York Stock Exchange, most of its customers are in North America and Europe. LightInTheBox focuses on the sale of gadgets, clothing and small accessories.
LightInTheBox is generating over 12 million monthly visitors on its website, along with several smaller subsidiary companies.
The data leak was discovered by VPNmentor in late November, data in the archive was “unsecured and unencrypted”, and accessible from anyone via a web browser.
“Led by cybersecurity analysts Noam Rotem and Ran Locar, vpnMentor’s research team discovered a leak in a database belonging to the online retailer LightInTheBox.” reads the post published by vpnMentor.
“A massive database, it contained over 1 terabyte of daily logs and compromised the security of LightInTheBox customers across the globe.”
The unsecured Elasticsearch installs contained over 1.3 TB of data, totaling over 1.5 billion records, it also included data from their subsidiary sites such as MiniInTheBox.com.
vpnMentor researchers pointed out that the security measures implemented by the retailer were insufficient.
The web server log contained activities related to the site dating from 9th of August 2019 to 11th of October.
Exposed data included email addresses, IP addresses, countries of residence and pages each visitor visited on LightInTheBox’s website.
Experts warn of possible phishing attacks that could be launched by crooks that had access to users’ email addresses and their browsing history.
Below the timeline of the discovery:
“This data breach represents a major lapse in LighInTheBox’s data security. While this data leak doesn’t expose critical user data, some basic security measures were not taken. This is a time of the year with a lot of online shopping: Black Friday, Cyber Monday, Christmas. Even a large leak with no user Personally Identifiable Information data could be a threat to both the company and its customers. concludes the post.
“By exposing their data, LightInTheBox risks further loss of business that could negatively impact future revenues.”
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Iran, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
The MITRE Corporation revealed that a nation-state actor compromised its systems in January 2024 by…
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
This website uses cookies.