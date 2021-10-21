A report released by an independent digital security laboratory that brings together researchers from different parts of the world identified that the online sales platform Hariexpress, a partner of retail giants operating in Brazil, such as Magalu, Mercado Livre and Amazon, exhibited more than 1, 75 billion confidential data.

The information was shared by the Safety Detectives group. The data is equivalent to 610 gigabytes of information.

In its portfolio, the platform informs that it serves e-commerce services from Amazon, B2W Digital (Americanas), Bling!, Cloudshop, Magalu, Mercado Livre, Shopee and TinyERP. In addition to them, Correios also has a partnership.

Tilt contacted Hariexpress by phone and email, which is headquartered in São Paulo, and is awaiting the company’s position on the case. The text will be updated if the company submits its position.

what the survey shows

O Safety Detectives is a pro service. good (for the public good) independent that brings together researchers with the intention of testing antivirus and internet security systems. Their report states that Hariexpress works as an integrator service for multiple online marketplaces, allowing merchants to organize and automate across different stores.

The researchers found a bad configuration on a Hariexpress server called ElasticSearch, which is a kind of search engine inside websites. It was unencrypted (an extra layer of security which, to put it simply, involves scrambling the data so that it is protected) and without any password protection.

This, according to the document, “exposed a large amount of PII [Informação Pessoal Identificável] of e-commerce customers and platform users”.

Safety Detectives reported that their systems identified the exposure of the information in May 2021, but the report was released in October because the data was in Portuguese.

What was exposed?

According to the report, the following data from buyers brokered by the company were vulnerable:

Full names; and account “nicknames” (usernames)

Email address

Phone numbers

Full shipping addresses

Billing details, including billing addresses and the amount paid for the goods

Images of the delivered goods.

Vulnerability went further and also identified leaked data from suppliers:

Full names of sellers; and account “nicknames” (usernames)

Sellers email addresses

Seller phone numbers

Commercial / residential addresses of sellers

CNPJ numbers of sellers; an identification number for Brazilian companies

CPF numbers of sellers (tax number)

Billing details including unit price and sales time.

“Leakage of order details can be a problem in a number of ways. Some records reveal confidential purchase details for e-commerce customers. Private orders now reveal personal information that could be considered embarrassing or harmful,” the document said.

For researchers, this exposure can make customers and sellers the targets of scams. The report fails to point out how much of the 1.7 billion data represents in individuals or companies.

“Hariexpress users can be targeted for phishing attempts and scams using this information. For example, a hacker could pose as a dissatisfied customer when requesting a refund or a new order, citing the extensive list of order records and information from invoice”, described the group.

Vulnerability worries, says expert

For Hiago Kin, president of Abraseci (Brazilian Cybersecurity Association), “this is probably the biggest solid and verified case of data leakage in 2021”.

He considers the Safety Detectives researchers “do a serious job” and is concerned about the details of the leaked data.

“The information obtained is as complete as possible, from addresses to fiscal and financial data, not only on buyers, but also on retailers, and the damage to the credit market and the population as a whole is incalculable,” he said. Kin.

The expert points out that “the lack of configuration of technologies regarding security is the most frequent point of cases of data leaks”. The president warns that Hariexpress partner companies carry out constant audits to keep their data protected.

“If companies impacted by the leak had an audit policy from their suppliers regarding security tests, the vulnerability would likely be evidenced,” he adds.

What companies say

In a note sent to Tilt, Amazon says it takes data security very seriously. “We developed all our systems and processes considering information security. With respect to this episode, we were informed by HariExpress that no Amazon data leaked,” he adds.

Americanas informed that “it is not aware of the occurrence of any data leakage from its customers or vulnerability in its environment. The information was also certified by Harexpress last week” and “continues to offer a complete and secure platform, in compliance with all current legislation”.

The Bling! points out that he follows “the press information”, and that he has “no way to comment on alleged occurrences in third-party environments”. “We reinforce that our environments did not present any situation of leakage”, he assures.

Correios sent a note saying that “so far, there is no evidence of violation of information – of individuals or legal entities – from the state-owned company’s database. The Correios system, which maintains integration to the aforementioned server, acts only in the measurement of the weight of orders and pricing, with no processing of personal data”.

Cloudshop stated that “it is aware of what has happened and has already contacted Hariexpress asking for clarification, but so far it has not received any feedback from the company. Cloudshop reinforces that it is taking steps to protect the privacy of its users and reiterates its commitment to the security and protection of data”.

The company Magalu clarified that “it counted on HariExpress as one of its integrators for a period of ten months. During that period, HariExpress added only 30 sellers [adicionar produtos] to the company’s platform and recorded 12 sales. So far, Magalu has not registered any data leaks.”

Mercado Livre preventively suspended the operation of Hariexpress on its platform, “as soon as I heard what happened”. The company maintains that the platform “acts as an integrator of marketplaces, provides services exclusively to sellers who advertise products on different market platforms, including the Mercado Livre”.

Also in a note, Shopee said, “HariExpress has already reported that the company’s users have not been impacted. Shopee takes data privacy very seriously and is committed to ensuring the security and protection of data for everyone in the ecosystem.”

Tiny ERP communicated that the company’s customers “may use integrated third-party solutions and, in this case, the customer is responsible for sharing and authorizing access to their account data in Tiny via the integration API”. The company guarantees that it has no “link with the Hariexpress company” and denies data leakage.