Experts discovered a leaking, active database with over 123 million records belonging to Decathlon Spain (and possibly Decathlon UK as well).
Experts from vpnMentor have uncovered a leaking, active database containing over 123 million records belonging to the sporting goods retailer Decathlon Spain (and possibly Decathlon UK as well).
The unsecure archive is greater than 9GB in size and was published on an ElasticSearch server.
“The vpnMentorcybersecurity research team, led by Noam Rotem and Ran Locar, have uncovered a leaking, active database with over 123 million records and greater than 9GB in size on an ElasticSearch server, belonging to Decathlon Spain.” reads the post published by vpnMentor.
vpnMentor researchers discovered the Decathlon’s data leak as part of a huge web mapping project, the database was accessible using a common web browser.
Timeline of Discovery and Owner Reaction
The experts discovered the database on February 12, 2020, and reported their discovery to Decathlon on February 16, the archive was security on February 17.
The records contained in the unsecured database include employee data and more such as:
Employee
Unencrypted passwords
API logs
API username and unencrypted password
PII of employees
Social security numbers
Full names
Nationalities
Mobile phone numbers
Full addresses
Birthdates
Education
Work email addresses
Employment contract information
Working hours
Location
Qualifications
Contract period
Roles
Customer email and login information, unencrypted
Private IP addresses
“Our research team was only able to confirm that the database belonged to Decathlon Spain, with a strong possibility of Decathlon United Kingdom information included as well.” reported vpnMentor. “These are the countries where we found local Decathlon data included in the leak, but we did not go through all 123 million+ records, and it is possible that there are more locations in additional countries that were impacted.”
The archive also includes unencrypted logins for administrators that could be used by attackers to take over accounts and obtaining otherwise confidential information about stores, employees, and customers.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Pierluigi Paganini
February 25, 2020
