Researchers Uncover Data Breach Affecting 1.3TB of Web Server Log Entries held by Chinese E-commerce Website LightInTheBox

Researchers Uncover Data Breach Affecting 1.3TB of Web Server Log Entries held by Chinese E-commerce Website LightInTheBox

Things you don't do with Elasticsearch dbs, number 1: Put them on the web


Exclusive Infosec researchers have uncovered a data breach affecting 1.3TB of web server log entries held by Chinese e-commerce website LightInTheBox.com.


Noam Rotem and Ran Locar, VPN comparison site VPNmentor’s research team, uncovered the breach in late November.


The data was “unsecured and unencrypted”, accessible from an ordinary web browser and was being held on an Elasticsearch database, which, as the two noted, “is ordinarily not designed for URL use”.


“The database [we fouud] was a web server log – a history of page requests and user activity on the site dating from 9th of August 2019 to 11th of October,” said the two researchers in a statement about their findings shared with The Register, adding that it appeared to contain around 1.5bn entries.


The server logs included user email addresses, IP addresses, countries of residence and pages each visitor viewed on LightInTheBox’s website. It also contained data from the company’s subsidiary sites including MiniInTheBox.com.


LightInTheBox is a typical online retailer selling retail goods such as gadgets, clothing and small accessories. The site has very few clues about its Chinese origins other than sponsored links at the bottom of its homepage with a distinctly Chinese theme.



Click to enlarge



Code snippets shared with The Register showed precisely how users’ email addresses were exposed.



Click to enlarge



Aside from LightInTheBox.com, the breached database also contained data from the firm’s subsidiary sites, including MiniInT ..

Support the originator by clicking the read the rest link below.