Fashion retailer BrandBQ exposes 1 TB of customers, contractors data

Fashion retailer BrandBQ exposes 1 TB of customers, contractors data

The database was hosted on a misconfigured Elasticsearch server.

Database leaks have become a common occurrence now with a breach happening almost every day. In the latest, researchers from vpnMentor have reported on a new database leak discovered on June 28, 2020, due to a misconfigured Elasticsearch server.


The researchers attributed the database to BrandBQ, a Polish online fashion retail company that also happens to have physical outlets. With over 500,000 downloads alone on Android coupled with its iOS installations, the number of users impacted is immense, estimated to be up to 6.7 million people.


See: Popular shopping site leaks miners’ data in 6TB of database mess up


These users are located mainly in 7 Eastern European countries such as Poland, Romania, Hungary, Bulgaria, Slovakia, and the Czech Republic.


The data exposed amounts to over 1 TB numbering 1 billion records and includes a range of personally identifiable information(PII) of the company’s customers such as full names, email addresses, phone numbers, and payment details without card numbers.

But this is not all, confidential details of its local contractors have also been revealed which go above and beyond the previously mentioned PII and additionally include VAT numbers, payment methods, names of the package receivers, and purchase information that is connected to orders.


On the other hand, contrary to usual cases, another layer of data was also leaked here with 49 million entries. This involved details about how the company’s database is structured and how it responds to scenarios like system errors and blacklisted emails – all of which could be used by future attackers to their ad ..