"Office Depot Configuration Error Exposes One Million Records"

Security researchers at Website Planet discovered a misconfigured Elasticsearch server belonging to a popular office supplies store chain on March 3rd.   The misconfigured Elasticsearch server was leaking nearly one million records, including customers’ personal information.  The researchers were quickly able to trace it back to Office Depot Europe, which operates across the region with bricks-and-mortar stores and online under the Office Depot and Viking brands.  Among the 974,000 unencrypted records found in the database were customer names, phone numbers, home addresses, office addresses, @members.ebay addresses, marketplace logs, order histories, and hashed passwords.  The researchers warned that cyber-criminals could have used such data to perform convincing phishing attacks.  Alongside the customer information in the database was data on middleware, IP addresses, ports, pathways, and storage systems used by the organization, which could have been exploited to target the Office Depot corporate network.  Although Office Depot Europe secured the database within hours of notification, the researchers stated that it may have been exposed for up to 10 days.

Infosecurity reports: "Office Depot Configuration Error Exposes One Million Records"