Re: Store, Samsung, Sony Center, Nike, LEGO and Street Beat shopper data leak

Last week, Kommersant reported that "Street Beat and Sony Center customer bases were publicly available," but in fact, everything is much worse than what is written in the article.

I already did a detailed technical analysis of this leak in my Telegram channel , so here we’ll go over only the main points.

Дисклеймер: вся информация ниже публикуется исключительно в образовательных целях. Автор не получал доступа к персональным данным третьих лиц и компаний. Информация взята либо из открытых источников, либо была предоставлена автору анонимными доброжелателями.

The next Elasticsearch server with indexes turned out to be in free access:

• graylog2_0
• readme
• unauth_text
• http:
• graylog2_1

In graylog2_0 contained logs since 16.11.2018 till March 2019 and graylog2_1 - logs from March 2019 on 04.06.2019. Until the close of access to Elasticsearch, the number of entries in graylog2_1 grew.

According to the Shodan search engine, this Elasticsearch has been in the public domain since 11/12/2018 (in this case, as described above, the first log entries are dated 16/11/2018).

In the logs, the gl2_remote_ip field indicated the IP addresses 185.156.178.58 and 185.156.178.62, with the DNS names srv2.inventive.ru and srv3.inventive.ru :

I notified Inventive Retail Group ( www.inventive.ru ) about the problem on 06/04/2019 at 18:25 (GMT) and by 22:30 the server “quietly” disappeared from free access.

It was contained in the logs (all data is estimated, duplicates from the calculations were not deleted, so the amount of real leaked information is most likely less):

• Over 3 Million Email Addresses for Re Shoppers: Store, Samsung, Street Beat, and Lego
• more than 7 million phones of buyers of re: Store, Sony, Nike, Street Beat and Lego stores
• more than 21 thousand pairs login / password from personal accounts of buyers of Sony and Street Beat stores.
• most telephone and email records also contained full names (often in Latin letters) and loyalty card numbers.

Example from the log related to the customer of the Nike store (all sensitive data has been replaced by “X” characters):

"message": "{\"MESSAGE\":\"[URI] /personal/profile/[МЕТОД ЗАПРОСА] contact[ДАННЫЕ POST] Array\\n(\\n    [contact[phone]] => +7985026XXXX\\n    [contact[email]] => XXX@mail.ru\\n    [contact[channel]] => \\n    [contact[subscription]] => 0\\n)\\n[ДАННЫЕ  GET] Array\\n(\\n    [digital_id] => 27008290\\n    [brand] => NIKE\\n)\\n[ОТВЕТ СЕРВЕРА] Код ответа - 200[ОТВЕТ СЕРВЕРА] stdClass Object\\n(\\n    [result] => success\\n    [contact] => stdClass Object\\n        (\\n            [phone] => +7985026XXXX\\n            [email] => XXX@mail.ru\\n            [channel] => 0\\n            [subscription] => 0\\n        )\\n\\n)\\n\",\"DATE\":\"31.03.2019 12:52:51\"}",

Here is an example of how logins and passwords were stored in logs from personal accounts of customers on sc-store.ru and street-beat.ru sites :

"message":"{\"MESSAGE\":\"[URI]/action.php?a=login&sessid=93164e2632d9bd47baa4e51d23ac0260&login=XXX%40gmail.com&password=XXX&remember=Y[МЕТОД ЗАПРОСА] personal[ДАННЫЕ  GET] Array\\n(\\n    [digital_id] => 26725117\\n    [brand]=> SONY\\n)\\n[ОТВЕТ СЕРВЕРА] Код ответа - [ОТВЕТ СЕРВЕРА] \",\"DATE\":\"22.04.2019 21:29:09\"}"

The official IRG statement on this incident can be read here , excerpt from it:

We could not leave this moment unattended and changed the passwords for personal dashboards of clients to temporary ones, in order to avoid the possible use of data from personal dashboards for fraudulent purposes. The company does not confirm the leak of personal data of street-beat.ru customers. All projects of Inventive Retail Group were promptly checked additionally. No threats to personal data of clients were found.

It’s bad that the IRG cannot figure out what has leaked and what hasn’t. Here is an example from the log related to a Street Beat store customer:

"message": "{\"MESSAGE\":\"'DATA' => ['URI' => /local/components/multisite/order/ajax.php,'МЕТОД ЗАПРОСА' = contact,'ДАННЫЕ POST' = Array\\n(\\n    [contact[phone]] => 7915545XXXX\\n)\\n,'ДАННЫЕ  GET' =\\n\\t\\tArray\\n(\\n    [digital_id] => 27016686\\n    [brand] => STREETBEAT\\n)\\n,'ОТВЕТ СЕРВЕРА' = 'Код ответа - '200,'RESPONCE' = stdClass Object\\n(\\n    [result] => success\\n    [contact] => stdClass Object\\n        (\\n            [phone] => +7915545XXXX\\n            [email] => XXX@gmail.com\",\"Дата\":\"01.04.2019 08:33:48\"}",

However, we turn to the very bad news and explain why this is precisely the leak of personal data of IRG clients.

If you look closely at the indices of this freely available Elasticsearch, you will notice two names in them: readme and unauth_text . This is a characteristic feature of one of the many ransomware scripts. They hit more than 4 thousand Elasticsearch servers around the world. The readme content looks like this:

"ALL YOUR INDEX AND ELASTICSEARCH DATA HAVE BEEN BACKED UP AT OUR SERVERS, TO RESTORE SEND 0.1 BTC TO THIS BITCOIN ADDRESS 14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3 THEN SEND AN EMAIL WITH YOUR SERVER IP, DO NOT WORRY, WE CAN NEGOCIATE IF CAN NOT PAY"

While the server with the IRG logs was in the public domain, the ransomware script definitely got access to the client’s information and, if you believe the message left by it, the data was downloaded.

In addition, I have no doubt that this database was found before me and already downloaded. I would even say that I am sure of this. There is no secret that such open bases are purposefully searched and pumped out.

News about information leaks and insiders can always be found on my Telegram channel “ Information leaks ”: https://t.me/dataleak .