U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Online Retailer LightInTheBox exposes unsecured DB containing 1.3TB of web server logs

vpnMentor researchers discovered an unsecured server belonging to the Chinese e-store LightInTheBox.com containing 1.3TB of web server logs. Infosec researchers have uncovered an unsecured Elasticsearch database containing 1.3TB of web server log entries held by Chinese e-commerce website LightInTheBox.com. LightInTheBox is a Chinese online retailer trading on the New York Stock Exchange, most of its […]

LightInTheBox

vpnMentor researchers discovered an unsecured server belonging to the Chinese e-store LightInTheBox.com containing 1.3TB of web server logs.

Infosec researchers have uncovered an unsecured Elasticsearch database containing 1.3TB of web server log entries held by Chinese e-commerce website LightInTheBox.com.

LightInTheBox is a Chinese online retailer trading on the New York Stock Exchange, most of its customers are in North America and Europe. LightInTheBox focuses on the sale of gadgets, clothing and small accessories.

LightInTheBox is generating over 12 million monthly visitors on its website, along with several smaller subsidiary companies.

The data leak was discovered by VPNmentor in late November, data in the archive was “unsecured and unencrypted”, and accessible from anyone via a web browser.

“Led by cybersecurity analysts Noam Rotem and Ran Locar, vpnMentor’s research team discovered a leak in a database belonging to the online retailer LightInTheBox.” reads the post published by vpnMentor.

“A massive database, it contained over 1 terabyte of daily logs and compromised the security of LightInTheBox customers across the globe.”

The unsecured Elasticsearch installs contained over 1.3 TB of data, totaling over 1.5 billion records, it also included data from their subsidiary sites such as MiniInTheBox.com.

vpnMentor researchers pointed out that the security measures implemented by the retailer were insufficient.

The web server log contained activities related to the site dating from 9th of August 2019 to 11th of October.

Exposed data included email addresses, IP addresses, countries of residence and pages each visitor visited on LightInTheBox’s website.

Code snippets show how 3 separate email addresses were exposed

Experts warn of possible phishing attacks that could be launched by crooks that had access to users’ email addresses and their browsing history.

Below the timeline of the discovery:

  • Date discovered: 20/11
  • Date vendors contacted: 24/11
  • Date of Action: Approx. 24/11/19

“This data breach represents a major lapse in LighInTheBox’s data security. While this data leak doesn’t expose critical user data, some basic security measures were not taken. This is a time of the year with a lot of online shopping: Black Friday, Cyber Monday, Christmas. Even a large leak with no user Personally Identifiable Information data could be a threat to both the company and its customers. concludes the post.

“By exposing their data, LightInTheBox risks further loss of business that could negatively impact future revenues.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]