Online retailer, LightInTheBox, exposes 1.6 billion customer records during a three month period, as a result of an unsecured database.
vpnMentor researchers Noam Rotem and Ran Locar discovered the unsecured and unencrypted database on November 20.
The database was a web server log, containing a history of page requests and user activity dating from August 9, 2019 to October 11, 2019. Researchers noted that the database appeared to also contain around 1.5bn entries.
The server logs contained users’ IP addresses, email addresses, countries of residence, visited pages and user activity on the website.
In addition it also contained data from the firm’s subsidiary sites, including MiniInTheBox.com.
Researchers explained that breach represents a major issue in LightInTheBox’s data security, which could have altogether been avoided if it had implemented basic security measures, such as simply securing its servers and enforcing proper access rules.
“The exposed data makes those affected vulnerable to many forms of fraud and online attacks. With access to user emails, cybercriminals could create convincing phishing campaigns with emails imitating LightInTheBox,” said VPNMentor’s Noam Rotem and Ran Locar.
“While this data leak doesn’t expose critical user data, some basic security measures were not taken. This is a time of the year with a lot of online shopping: Black Friday, Cyber Monday, Christmas. Even a large leak with no user Personally Identifiable Information data could be a threat to both the company and its customers.”
The post #Privacy: Unsecured database exposes 1.3TB of data appeared first on PrivSec Report.