The retail office supply chain Staples recently notified its customers that their personal information was exposed through the Staples website. Some are speculating that this is a hacker incident and there is good reason to believe so. Threat intelligence company Bad Packets has revealed that Staples left multiple Pulse Secure VPN servers unpatched to the bug CVE-2019-11510 before they finally patched them, two months after the critical vulnerability was publicly known and widely exploited. It was learned by Bleeping Computer that two of Staples website API endpoints allowed for customers to track orders using their order number and zip code. There were two factors that made this possible, first that the order numbers were sequential and could be easily guessed, and the other being that requesting tracking information did not require a zip code to be provided. So, by combining a valid order number and identifying the coordinating zip code through the tracking info could allow for a threat actor to gather full order details. The good news is Staples has yet to see any unauthorized purchases on accounts that have been affected. Information that could be exposed includes full name, the last four digits and type of their credit card, phone number, full postal address, email address, history of ordered items, and other personally identifiable information that could be used to get even more data.
Analyst Notes
Staples has stated that the issue no longer exists, but they have reached out to potentially affected customers. Any customers who believe they may have had their information compromised should be mindful of suspicious emails. Customers should also keep any eye on their bank statements and be on the lookout for unusual charges to their account.
Source: www.bleepingcomputer.com/news/security/staples-data-breach-caused-by-bug-in-order-tracking-system/
