Data leakage of stores re: Store, Samsung, Sony Center, Nike, LEGO and Street Beat

Last week, Kommersant reported that "Street Beat and Sony Center's customer bases were publicly available," but in fact everything is much worse than what is written in the article.

I already did a detailed technical analysis of this leak in my Telegram channel , so here we will go over only the main points.

:        .           .      ,      . 

The next Elasticsearch server with indices was in free access:

• graylog2_0
• readme
• unauth_text
• http:
• graylog2_1

Graylog2_0 contained logs from November 16, 2018 to March 2019, and graylog2_1 contained logs from March 2019 to June 4, 2019. Until the closure of access to Elasticsearch, the number of records in graylog2_1 grew.

According to the Shodan search engine, this Elasticsearch was freely available from 11/12/2018 (at the same time, as written above, the first entries in the logs are dated 11/16/2018).

In the logs, in the gl2_remote_ip field, the IP addresses 185.156.178.58 and 185.156.178.62 were specified, with the DNS names srv2.inventive.ru and srv3.inventive.ru :

I notified Inventive Retail Group ( www.inventive.ru ) about the problem 04.06.2019 at 18:25 (MSK) and by 22:30 the server “quietly” disappeared from free access.

The logs contained (all the data are estimated, the duplicates were not removed from the calculations, therefore the amount of real leaked information is likely less):

• over 3 million email addresses of shopper customers re: Store, Samsung, Street Beat and Lego
• more than 7 million phone buyers of re: Store, Sony, Nike, Street Beat and Lego stores
• more than 21 thousand login / password pairs from personal accounts of Sony and Street Beat store buyers.
• Most of the entries with telephone and email also contained a full name (often in Latin letters) and loyalty card numbers.

An example from a log related to a Nike store customer (all sensitive data is replaced with “X” characters):

 "message": "{\"MESSAGE\":\"[URI] /personal/profile/[ ] contact[ POST] Array\\n(\\n [contact[phone]] => +7985026XXXX\\n [contact[email]] => XXX@mail.ru\\n [contact[channel]] => \\n [contact[subscription]] => 0\\n)\\n[ GET] Array\\n(\\n [digital_id] => 27008290\\n [brand] => NIKE\\n)\\n[ ]   - 200[ ] stdClass Object\\n(\\n [result] => success\\n [contact] => stdClass Object\\n (\\n [phone] => +7985026XXXX\\n [email] => XXX@mail.ru\\n [channel] => 0\\n [subscription] => 0\\n )\\n\\n)\\n\",\"DATE\":\"31.03.2019 12:52:51\"}", 

And here is an example of how logs and passwords from personal accounts of buyers on sc-store.ru and street-beat.ru were stored in logs:

 "message":"{\"MESSAGE\":\"[URI]/action.php?a=login&sessid=93164e2632d9bd47baa4e51d23ac0260&login=XXX%40gmail.com&password=XXX&remember=Y[ ] personal[ GET] Array\\n(\\n [digital_id] => 26725117\\n [brand]=> SONY\\n)\\n[ ]   - [ ] \",\"DATE\":\"22.04.2019 21:29:09\"}" 

The official IRG statement on this incident can be read here , an excerpt from it:

We could not leave this moment without attention and changed the passwords to the personal accounts of clients to temporary ones, in order to avoid the possible use of data from personal accounts for fraudulent purposes. The company does not confirm the leakage of personal data of street-beat.ru clients. All additional projects of the Inventive Retail Group were promptly checked. No threats to customer personal data were found.

The bad news is that the IRG cannot figure out what has happened and what has not. Here is an example from the log related to the Street Beat customer:

 "message": "{\"MESSAGE\":\"'DATA' => ['URI' => /local/components/multisite/order/ajax.php,' ' = contact,' POST' = Array\\n(\\n [contact[phone]] => 7915545XXXX\\n)\\n,' GET' =\\n\\t\\tArray\\n(\\n [digital_id] => 27016686\\n [brand] => STREETBEAT\\n)\\n,' ' = '  - '200,'RESPONCE' = stdClass Object\\n(\\n [result] => success\\n [contact] => stdClass Object\\n (\\n [phone] => +7915545XXXX\\n [email] => XXX@gmail.com\",\"\":\"01.04.2019 08:33:48\"}", 

However, let us turn to completely bad news and explain why this is exactly the leakage of IRG clients' personal data.

If you look closely at the indices of this freely available Elasticsearch, you can notice two names in them: readme and unauth_text . This is a characteristic feature of one of the many extortionist scripts. They are affected by more than 4 thousand Elasticsearch servers worldwide. The contents of the readme look like this:

 "ALL YOUR INDEX AND ELASTICSEARCH DATA HAVE BEEN BACKED UP AT OUR SERVERS, TO RESTORE SEND 0.1 BTC TO THIS BITCOIN ADDRESS 14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3 THEN SEND AN EMAIL WITH YOUR SERVER IP, DO NOT WORRY, WE CAN NEGOCIATE IF CAN NOT PAY" 

During the time when the server with the IRG logs was in free access, the script ransomware received accurate access to the clients' information and, according to the message it left, the data was downloaded.

In addition, I have no doubt that this database was found before me and already downloaded. I would even say that I am sure of this. There is no secret that such open bases are purposefully searched for and pumped out.

News about information leaks and insiders can always be found on my Information Leaks Telegram channel: https://t.me/dataleak .