The France-based sports retailer Decathlon noticed recently that over 123 million records that included customer and employee information were exposed through a misconfigured database. A 9GB database on an Elasticsearch server was discovered by researchers at vpnMentor. From observations by vpnMentor, it seems as if the data belongs to Decathlon’s Spanish and UK businesses. The information included in the server was employee usernames, unencrypted passwords, Social Security numbers (SSNs), full names, addresses, mobile phone numbers, addresses, and birthdates. Also included in the database was customer information such as unencrypted email and log-in information. The company was notified four days after the database was discovered on February 16th and immediate action was taken. The database has since been made unavailable.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased