Contents:
An open database containing over 200,000 personal information entries turned the customers of an Indian retailer into vulnerable targets.
The leaked dataset contained personal information, such as emails, phone numbers, names, and poorly protected passwords, exposing customers to identity theft and credential-stuffing attacks.
The Effects of Unprotected Passwords
According to Cybernews, the unprotected 18.2GB-strong database hosted by AWS in the US was discovered on September 20. The researchers were able to attribute the instance to the Indian online retailer, noticing the passwords were protected with a very weak hashing algorithm MD5. As it is one of the oldest algorithms, it is generally easy to dehash for anyone intending to view the original password.
On top of that, the database held one-time password (OTP) logs that could allow attackers to monitor the database and bypass two-factor authentication.
The dataset is now closed, yet the retailer has not made any statements regarding the event and potential precautions being taken to prevent similar leaks.
Retail Constantly Targeted
Retail became a hacker-favorite target for ransomware and data-theft. Many online retailers collect vast amounts of user data, only for said data to fall prey to malicious attacks because of poor encryption practices. Threat actors exploit security gaps they find in the company’s IT system in order to gain access. Protecting passwords with MD5 or SHA-1 is a great example of what can be the cause of data loss.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.