Download MacKeeper Research Policy MacKeeper.com

Do you want to be our security writer? Send your guest post to

Walmart jewelry partner exposed 1.3 million customer details

MSSQL database containing the personal information of approximately 1.3 million people found in another public Amazon S3 Bucket

Back to blog

On February 6th, 2018 researchers at Kromtech security came across another publicly accessible Amazon s3 bucket.  This one contained a MSSQL database backup, which was found to hold the personal information, including names, addresses, zip codes, phone numbers, e-mail addresses, ip addresses, and, most shockingly, plain text passwords, for shopping accounts of over 1.3 million people (1,314,193 to be exact) throughout the US and Canada.

At first glance the data appeared to belong to Walmart as the storage bucket was named 'walmartsql', but upon further investigation by Kromtech researchers it was discovered that the MSSQL database backup inside actually belonged to MBM Company Inc., a jewelry company based in Chicago, IL, which operates mainly under the name  Limogés Jewelry.

The backup was named MBMWEB_backup_2018_01_13_003008_2864410.bak, which indicates that it may have been public since January 13, 2018. The database was found to contain records for many other retailers other than just Walmart. It also contained internal MBM mailing lists, encrypted credit card details, payment details, promo codes, and item orders, which gives the appearance that this is the main customer database for MBM Company Inc. Records were seen with dates ranging from 2000 to early 2018.

Negligent Security on Multiple Levels

The negligence of leaving a storage bucket open to the public after the publication of so many other vulnerable Amazon s3 buckets is simple ignorance.  Furthermore, to store an unprotected database file containing sensitive customer data in it anywhere directly online is astonishing, and it is completely unfathomable that any company store passwords in plain text instead of encrypting them.

Passwords were stored in the plain text, which is great negligence, taking into account the problem with many users re-using passwords for multiple accounts, including email accounts.” - Bob Diachenko, head of communications for Kromtech

Any stored passwords should only be stored fully encrypted.  In addition, given the number of brute force password cracking tools available and today's computing power, companies should enforce more complex passwords with a minimum of 10-12 characters containing at least one upper case letter, one lower case letter, one number, and one symbol such as (#%^&!).   

Looking through the plain text passwords within the MBM Company Inc. database shows that people will still use very simple passwords, if allowed.  Some of the passwords seen in the database were so simple (lowercase words that can be found in the dictionary) that even had they been encrypted, they could be guessed by a machine trying regular words in mere seconds.

Such a lack of security on so many levels in this day and age for personal customer information is pure negligence, and there is no excuse, given how many public s3 buckets have been found and reported, to have any personal customer data still being found in them.

A Privacy Policy Is Only Valid If Followed!

The fact that this database contains detailed customer records for retailers other than just the retailer where it was found (Walmart), and that these records contain so much customer information,  including e-mail addresses, appears to indicate that MBM Company Inc. may be sharing all their data between retailers. 

https://www.limogesjewelry.com/customer-service/privacy

Your Personal Information

Limogés Jewelry collects information that you volunteer in order to process your order, to inform you of special offers, and so that you may receive superior customer service. We do not share your e-mail address with anyone outside of Limogés Jewelry other than when necessary to fulfill your order. On occasion, we may share other information with very carefully selected partners in order to provide you with outstanding special offers, but we will only do so with your consent.

Company Information

MBM Company Inc. also does business under the names Limogés Jewelry, Jewelry Saving Plan, Carroll Street, and Freestyle Class Rings, but seem to do the majority of their business under the name Limogés Jewelry.
(https://www.bbb.org/chicago/business-reviews/faux-jewels/mbm-company-inc-in-chicago-il-86001086)

From www.limogesjewelry.com/aboutus:

For over 20 years, our team of experts have supplied top name retailers with exquisite pieces ranging from rings and earrings to pendants and personalized gifts. As a leading supplier of personalized jewelry, our uniquely designed items can be found in various jewelry catalogues {sic} and stores.

Some of these “top name retailers” include Walmart, HSN, Amazon, Overstock, Sears, Kmart, and Target.   Limogés Jewelry is also sold throughout a vast number of online shops and boutiques. They also operate an affiliate network, which allows any site to earn by referral, giving them quite an extensive reach.

Notification and Response

Kromtech researchers notified Walmart of the public Amazon S3 bucket immediately upon discovery.  Walmart has since secured the storage bucket but was unable to comment on MBM Company Inc.  MBM Company Inc. was contacted and as of yet there has not been any response from them.

Kromtech Tools and Services

In October 2017 the Kromtech Security Center released a free scan tool that helps identify and secure publicly accessible Amazon S3 Buckets within an organization's network. We have also published an in-depth guide explaining how to secure Amazon S3 buckets for better data security. 

 


Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: security@kromtech.com

You may also like