In a recent survey conducted by VPNmentor, it was discovered that several personal data, including emails, names and surnames, photos, identification tokens belonging to employees of the decathlon company, are available online without any protection.
This exposed data is believed to be due to a poor bucket S3 configuration on a server used by one of the company's partners
"The bucket S3 also contained security tokens that could have provided additional access to private accounts or other internal areas of the Decathlon system," VPNmentor said.
This article will also interest you: Microsoft Azure Blob: what lessons learned from data leakage?
This umpteenth data leak is in addition to another that was discovered a little over a year ago, this time again Decathlon Spain, where 123 million records were exhibited on an Elasticsearch server. The data leak was also discovered by VPNmentor.
According to the company's security researcher, the recent data leak affects nearly 8% of Decathlon employees. The partner who would have been involved in the poor configuration of bucket S3, would be a consulting company named Bluenove.
According to figures provided by VPN Mentor, exactly 7883 Decathlon employees are affected by this exhibition. However, the company stated that the majority of the data exposed had nothing to do with its investigation, which was conducted by the consulting firm that was singled out.
"The photos can be illustration photos of the platform, by no means personal photos of the respondents. As for the "city" or "country," the data is linked to the locations of Decathlon stores not the personal information of respondents," a Bluenove spokesperson said in a recent interview.
However, the sensitivity of the majority of the data affected by this leak cannot be denied. "The bucket S3 also contained security tokens that could have provided additional access to private accounts or other internal areas of the Decathlon system. However, we have not attempted to use these tokens for ethical reasons, but we urge Decathlon to investigate further to avoid abuse by malicious third parties," VPNmentor said.
"Token keys are not linked to Bluenove's information system," the consulting company's spokesman added. "We have removed the offending .xls files, which are denser exports of this nature. The[VPNmentor]y may have read them to another level on the way to the bucket. Our exports do not contain token. We export metadata such as those on the file: time stamping, author's name, contribution url," he adds.
According to VPNmentor, the security flaw has been discovered since March 2021. However, there is a good chance that the data will be available since November 2020. This greatly exposes victims to a phishing campaign.
"If hackers had accessed this data, they could have targeted thousands of Decathlon employees and customers with various forms of online fraud and viral attack. By combining an individual's personal data, investigation information and other details exposed, hackers could have created highly effective phishing campaigns posing as Bluenove or Decathlon via email or phone. By doing so, they could easily convince people to provide even more sensitive data for fraudulent purposes or by clicking on built-in links with malware, spyware or other vectors," VPNmentor said in its blog post.
According to the latter, the consulting firm employed by Decathlon, could have avoided this situation, by implementing some very simple methods to secure its servers. "Make the bucket private by adding authentication protocols, follow AWS best access and authentication practices, and add more layers of protection to S3 compartments to further restrict who can access them from each entry point," notes VPNmentor.
For his part, Bluenove argues: "All of our buckets for our consultations are encrypted. When debates are public, we create buckets for public resources that are published and accessible. We have prioritized the implementation of encrypted key and profile management via the secure IAM system since we hosted our steps on AWS."
Now access an unlimited number of passwords: