Shoemaker Ecco leaks almost 60GB of customer data

Best cloud databases
(Image credit: Pixabay)

Shoemaker Ecco has been operating a misconfigured database for more than a year, exposing a huge tranche of sensitive information to whoever knew where to look. 

This is according to a new report from Cybernews, whose research team recently identified 50 Ecco indices exposed to the public. In total, the database has had more than 60GB of sensitive data that’s been available since June 2021.

“Millions of sensitive documents, from sales to system information, were accessible. Anyone with access could have viewed, edited, copied and stolen, or deleted the data,” the researchers said. 

API requests

While Ecco moved in to remedy the problem in the meantime, they did not comment on Cybernews’ findings. The database seems to be locked now, the researchers said.

While scanning the web for unsecured and otherwise misconfigured databases, the research team found an exposed instance hosting Kibana, an ElasticSearch visualization dashboard, for Ecco. Kibana, as the researchers explained, helps process ElasticSearch information.

The instance hosting the dashboard was guarded by an HTTP authentication, but the server was (mis)configured in a way that allowed API requests through. Using this loophole, the researchers looked up the index names on Ecco’s ElasticSearch, seeing 50 exposed indices with more than 60GB of data. 

The data contained all kinds of sensitive information, from sales and marketing, to logging and system information, the researchers said. One index, sales_org, contains more than 300,000 documents. A directory called market_specific_quality_dashboard held more than 820,000 records.

There are multiple ways a threat actor could make use of the database, they further explained, saying that the visible code could have been changed, as well as naming, and URLs, all to run phishing campaigns, identity theft, or to trick people into running malware and ransomware. 

What’s more, the database is not for a local Ecco outpost, but rather for the global ecco.com website. In the hands of an experienced cybercriminal, the files could be a major tool in attacking the company globally. Ecco stores, its employees, as well as clients and customers.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Data leak
Top collectibles site leaks personal data of nearly a million users
A man looking at a tablet with a brown Best Buy package on the desk in front of him
Huge Christmas data breach - 14 million shipping records leaked, putting shoppers at risk
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
A top online gift card store may have exposed private data on hundreds of thousands of users
Data leak
German cloud service provider exposes entire Georgian country population - millions of personal data files leaked
Cartoon Phishing
One of the largest data leaks ever sees info on 1.5 billion people leaked online
Data leak
Popular online bill paying site leaks data of thousands of users
Latest in Security
NHS
NHS IT supplier hit with major fine following ransomware attack
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Latest in News
Waze voice control
Waze is ditching Google Assistant for Gemini on iOS, and for good reasons
Apple Watch Ultra 2 displaying a step count and distance
Using a smartwatch could be a game-changer for people with diabetes, new research suggests
Focal Bathys MG
Focal just upgraded its audiophile noise-cancelling wireless headphones with even better sound, better noise cancelling, and a way higher price
A PC gamer celebrating, sat in a gaming chair in front of a monitor
Windows 11’s Game Bar gets a fresh coat of paint, plus a tweak to work better on handhelds – and I like the direction Microsoft’s heading in here
NHS
NHS IT supplier hit with major fine following ransomware attack
A business woman looking at AI on a transparent screen
Most businesses are now fully embracing AI - but aren't always protected against the risks