This article was published on March 14, 2018

Jewelry site accidentally leaks personal details (and plaintext passwords!) of 1.3M users


Jewelry site accidentally leaks personal details (and plaintext passwords!) of 1.3M users

Few people are familiar with the Chicago-based MBM Company, Inc, but perhaps you might be familiar with its jewelry brand Limogés Jewelry. This firm sells cut-price trinkets through its website to customers across the US and Canada.

Researchers from German security firm Kromtech Security allege that until recently, MBM Company was improperly handling customer details. On February 6, they identified an unsecured Amazon S3 storage bucket, containing a MSSQL database backup file.

According to Kromtech Security’s head of communications, Bob Diachenko, further analysis of the file revealed it held the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. He also claims the database contained plaintext passwords — which is a big security ‘no-no.’

In a press release, Diachenko said: “Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts.”

The backup file was named ‘MBMWEB_backup_2018_01_13_003008_2864410.bak,’ which suggests the file was created on January 13, 2018. It’s believed to contain current information about the company’s customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year.

Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company.

TNW spoke to Diachenko earlier today. When asked to put the severity of this incident into context, he said: “I consider it as a quite serious incident for a number of factors. First, [it has] a rather ‘easy-to-guess’ bucket name which opens a big possibility that somebody has already seen the data. With so many scanning tools available online, there is a big chance that this combination of a ‘big brand and common suffix’ S3 domain name has appeared on someone’s radar.”

It’s worth noting that there’s no evidence a malicious third-party has accessed the dump. Diachenko said Kromtech’s researchers didn’t notice any ransom notes, which regularly appear in compromised MongoDB and CouchDB databases. However, he added, “that does not mean that nobody [has] accessed the data.”

Diachenko is also concerned about the presence of plaintext passwords in the data file. “There is a great concern that many users [are] re-using passwords for multiple accounts, including email accounts,” he said.

According to Diachenko, MBM Company failed to respond to Kromtech’s researchers, but instead quietly secured the Amazon S3 bucket.

Improperly protected Amazon S3 buckets have ensnared a lot of big-name companies in security SNAFUs. Even though it’s trivially easy to add proper authentication to a bucket, institutions like FedEx, web analytics firm Alteryx, RNC contractor Deep Root, and the City of Chicago have all been caught with their pants down.

Diachenko recommends that anyone who wants to use this technology first familiarizes themselves with the security basics of it. And for anyone who has bought a bargain-basement engagement ring lately, he suggests they change their passwords, and sign up for Troy Hunt’s Have You Been Pwned.

Get the TNW newsletter

Get the most important tech news in your inbox each week.