Wegmans Exposes Customer Data in Misconfigured Databases

2021-06-21 21:52

Wegmans Food Markets, the U.S. supermarket chain, has notified customers that some of their data was exposed because two of its cloud-based databases were misconfigured, making them publicly accessible online.

The databases contained customer information including names, addresses, phone numbers, birth dates, Shoppers Club numbers, as well as e-mail addresses and passwords for access to Wegmans.com accounts.

The company added that all of the affected account passwords were salted and hashed, meaning that the actual passwords were obscured, not viewable in the databases.

BleepingComputer spotted a notification letter that Wegmans posted on March 31 in which Wegmans told customers that it had been subjected to credential-stuffing attacks in January, likely with credentials stolen from other online services.

Clements said via email that with the latest disclosure, "I can easily envision a scenario in which this new breach could have predated and in fact generated the credential-stuffing attack in March. It makes a lot of sense that an initial attacker noticed the unprotected data, cracked as many account passwords as they could, and then launched an attack to login to the cracked accounts and steal as much data as possible."

Wegmans forced a password reset on all affected accounts to prevent the attackers from successfully logging in.

News URL

https://threatpost.com/wegmans-exposes-customer-data-misconfigured-databases/167099/

#database