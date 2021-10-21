A failure in the database of the Hariexpress, a platform used by some of the country’s top retailers, exposed 1.75 billion records, according to the Safety Detectives cybersecurity laboratory. The error made information such as the name, telephone number and addresses of customers and sellers public.

The researchers identified an incorrect configuration in the Hariexpress database, whose service integrates marketplaces from companies such as Amazon, Mercado Livre, B2W Digital, Shopee and Magazine Luiza. The stores are not related to the incident.

Hariexpress’ platform allows sellers to display their products across multiple retailers. The integration, however, gives Hariexpress access to information about retailers, customers and orders.

Safety Detectives says the size of the database makes it difficult to know precisely how many people have been affected, but estimates that the incident affects “hundreds of thousands, if not millions of Brazilian users and buyers”.

“We know there were thousands of email addresses in the server logs and as such we can assume that thousands of people were affected,” the lab said.

“However, an accurate estimate is difficult due to the presence of duplicate email addresses.”

Hariexpress offers a service where merchants can automate sales through marketplaces, where large retailers display third-party products.

To facilitate the process, Hariexpress offers a platform for sellers to register their products at once in multiple stores. In addition to those already mentioned, the company has integration with tinyERP, Bling! and Cloudshop. Hariexpress also has integration with Correios.

The data was exposed due to an incorrect configuration of Hariexpress on the server, which was without encryption or password.

The Hariexpress base had 610 gigabytes of information, according to Safety Detectives. Among the records found, there are personal data of customers and shopkeepers, such as:

Full name (and username)

Email

Telephone

Address

Billing address and order amounts

Images of delivered products

Also according to the laboratory, seller data included CNPJ, CPF and billing details. They claim that the database also featured links to invoices – which gather customer and business addresses – encrypted passwords and order tracking codes.

The researchers point out that the records in the database were in Portuguese and had several references to Hariexpress. The lab says it discovered the flaw in June, but warns that the information has apparently been exposed since at least 12 May.

The group said it was unable to handle the incident on the server with Hariexpress.

What is the impact of the failure?

Most of the information displayed belongs to shopkeepers’ customers who used the Hariexpress platform.

Once made public, emails can be used in phishing and social engineering scams, in which victims are tricked into revealing more private data on websites created by scammers. The information can also be used to disseminate false bills, for example.

For retailers, there is a risk of false refund requests and account theft. The researchers also point out that the failure could lead to cases of corporate espionage, as companies could seek details about their competitors’ best-selling products.