Unsecured Amazon S3 Bucket Claims Another Victim, This Time, Private Data of 1.3 Million Limogés Jewelry Customers Have Been Exposed.
Limogés Jewelry is actually the jewelry brand of the Chicago, Il, based MBM Company Inc. The company sells jewelry for children men and women including pendants, earrings, necklaces, watches, engagement rings, and wedding rings.
Reportedly, Germany-based information security firm Kromtech Security researchers have discovered an unsecured Amazon S3 storage bucket containing an MSSQL database backup file. The information security training research team believes that MBM Company has been careless in handling customer data.
In the beginning, information security training researchers suspected that the data was the property of Walmart because the storage bucket was named ‘walmartsql’ but later, after thoroughly analyzing the file, they came to the conclusion that it belonged to MBM Company Inc. They also identified that data from a number of retailers including Walmart was part of the database.
Head of communications Bob Diachenko revealed that when the discovered file was further assessed, it was learned that it contained private and sensitive data belonging to 1,314,193 people.
The data included sensitive personal information like residential addresses, e-mail IDs, IP addresses and zip-codes along with plaintext passwords of such a massive number of people. That’s not all; the file also contains internal mailing lists, item orders, and promo codes. Diachenko referred to this as “great negligence” on part of MBM Company Inc.
“Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts,” a statement from Diachenko read.
The discovered file was titled ‘MBMWEB_backup_2018_01_13_003008_2864410.bak;’ that was created on January 13, 2018. The database contains information about the company’s customers within the US and Canada and the file contain updated information, which means the data is current. Customer records from the year 2000 are also part of the database whereas most recent records are from early 2018. Information security training experts are of the opinion that this might be the primary database used by MBM Company.
Considering the severity of this incident, it can be termed as a serious issue. Various factors suggest the fact that MBM Company adopted insufficient security practices. Such as, the bucket name was quite “easy-to-guess” and had a common suffix’ S3 domain name, which anyone could have identified using one of the countless scanning tools available on the internet.
Currently, it is not clear if the database has been accessed by any malicious third-party since information security training researchers did not observe ransom notes. Previously when MongoDB databases were exposed, ransom notes appeared on a regular basis, but this is not the case in this incident.
Insecure Amazon S3 buckets have already victimized a number of mainstream firms despite that it is fairly easy to properly authenticate the bucket. MBM Company isn’t the first one to have failed to protect customer database but FedEx, Alteryx, City of Chicago and RNC contractor Deep Root all have been affected due to their lackluster security measures.
Security experts opine that prior to using this technology; companies must familiarize themselves with the basics of security. That’s because having a storage bucket that is exposed to public access while containing such sensitive personal data as email IDs and passwords after so many incidents involving Amazon S3 buckets is downright negligence.
It’s a very careless action of MBM Company to store private data of customers directly on a storage bucket with passwords in plain text format without encryption, information security training analyst said.
Diachenko recommends that firms must store passwords in encrypted form and force customers to keep complex passwords with at least one upper case letter, one lower case letter, one symbol, and one numeric digit and password should be up to 12 characters long.
Kromtech information security training researchers notified Walmart about the publicly available Amazon S3 bucket and the retail giant immediately secured the bucket. MBM Company hasn’t released any statement.