Hariexpress misconfigured ElasticSearch server exposed a huge amount of eCommerce customers and platform users PII.
It was probably higher by the time it got secured.
Who Is Hariexpress?
Information including a CPF number
Hariexpress was founded in Sao Paulo, Brazil.
Features include store cloning and unified inventory management, not to mention ERP analytics that report on business performance.
Hariexpress has some major partners that integrate their services with the platform.
These include Mercado Livre, B2W Digital, Amazon, Shopee, Magalu, tinyERP.
Bling!, and Nuvemshop.
Correios is another Hariexpress partner.
Information including a CPF number
Correios is Brazils national postal service, and Hariexpress server has exposed data for this major organization too.
What Was Leaked?
Hariexpress ElasticSearch server was left unencrypted without any password protection in place.
As a result, it exposed 1.75+ billion records, totaling more than 610 GB of data.
the Businesses using the Hariexpress platform.
you might see examples of leaked order details below.
Extensive links to images of the product found in the server
Information including a CPF number
Leaked order details can be an issue in more ways than one.
Some logs leak details of eCommerce customers sensitive purchases.
Orders that were made privately now reveal personal information that one may find embarrassing or damaging.
Images of invoices, including delivery invoices
The CNPJ numbers of vendors can also be seen.
However, an exact estimate is difficult due to the presence of duplicate email addresses entries.
you’re free to see a full breakdown of Hariexpress data breach in the table below.
Hariexpress ElasticSearch server was live and being updated at the time of discovery.
The information in the database was in Portuguese which prolonged our investigation.
A Hariexpress employee asked for our contact number but was unreachable thereafter.
CNPJ numbers
On July 8th, we contacted Brazilian CERT, who stated they werent in charge of such disclosure.
Hariexpress leaked servers content could also affect its own business.
We cannot know whether unethical hackers have discovered Hariexpress unsecured ElasticSearch server.
After all, Brazilian eCommerce is a rapidly growing industry, projected to reach 149 billion BRL in 2021.
This blind spot makes mega breaches like the Hariexpress breach possible.
Its difficult to say exactly how many customers are ultimately affected.
Phishing attacksandsocial engineering attemptsshould be at the forefront of any concerned customers thinking.
Hackers could use leaked email addresses to get in touch with the victim.
Hackers could use a long list of different forms of customer PII to build trust with the victim.
The email could be personalized to the recipient using a name and address.
The hacker could build a convincing narrative using order information, invoices, and billing details.
This is a phishing attack.
Phishing attacks can be used to help hackers commitfraud.
The victim then pays this invoice unknowingly.
Theftis another risk to consumers.
High-value orders would draw attention to wealthier targets.
Sellers using Hariexpress must be aware that their names and addresses are included in the open database.
Hariexpress users could be targeted withphishing attemptsand scamsthemselves using this information.
Hariexpress users could faceaccount takeoverusing leaked login credentials.
Corporate espionageis indeed an issue, too.
The open ElasticSearch has leaked customer orders for numerous eCommerce businesses.
This could also be an issue forHariexpress.com.br.
This could includeindustry secrets.
Hariexpress has placed these individuals in danger of crime, breaking Brazilian data protection laws in the process.
The law applies to any business or person that handles the data of Brazilian citizens.
Hariexpress could face a loss of business fromreputational damagewith such a sizable leak.
Business owners have entrusted Hariexpress to protect their livelihoods, and Hariexpress has failed to keep this information secure.
Current users may, therefore, look to leave Hariexpress due to cybersecurity concerns.
Potential customers could look to use other marketplace integration tools for the very same reason.
Preventing Data Exposure
How can we avoid data exposure and the damaging after-effects of a data leak?
For a full review of SafetyDetectives cybersecurity reporting over the past 3 years, followSafetyDetectives Cybersecurity Team.
