Sporting company Decathlon has suffered a massive data breach exposing records of over 123 million users and employees.
According to researchers at vpnMentor, more than 9GB of data was leaked from an unsecured ElasticSearch server.
The leaked information, which primarily pertains to the Spanish arm of the company, was found on February 12th, with Decathlon was informed on 16th February, with the company saying the server was fixed the next day itself.
Decathlon hack
According to Decathlon, the majority of the data was related to its employees, with very few customers affected.
The leaked files contained information including employee user names, un-encrypted passwords, official email addresses, employee contract information, API logs and API credentials.
But also included personally identifiable information like social security numbers, nationalities, mobile phone numbers, full addresses and birth dates of the employees.
Un-encrypted login credentials and private IP addresses belonging to Decathlon’s customers could also be found in the leaked database.
Experts believe the perpetrators may try to further steal data using the administrator credentials or send phishing emails to the customers. Attempts of identity theft and physical attacks cannot be ruled out as the leaked data had personally identifiable information.
“The leaked Decathlon Spain database contains a veritable treasure trove of employee data and more. It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information,” said vpnMentor.
Via: ComputerWeekly