Security News > 2022 > June > Elasticsearch server with no password or encryption leaks a million records
Researchers at security product recommendation service Safety Detectives claim they've found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.
Safety Detectives' report states it found a StoreHub sever that stored unencrypted data and was not password protected.
StoreHub's wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers' activities.
Safety Detectives' post says it found the exposed server on January 12th and promptly reported it, then followed up - but StoreHub did not respond.
The server was secured by February 2nd. A statement from StoreHub sent to The Register disputes Safety Detectives' timeline - the company says it was alerted on February 3rd - but does not dispute the existence of the unsecured server.
"Upon being informed of the occurrence on an Amazon Web Services Elasticsearch instance, StoreHub took immediate action to patch and rectify the vulnerability within 24 hours." The company also revoked tokens in the dataset.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/06/16/storehub_data_leak/
Related vendor
| VENDOR | LAST 12M | #/PRODUCTS | LOW | MEDIUM | HIGH | CRITICAL | TOTAL VULNS |
|---|---|---|---|---|---|---|---|
| Elasticsearch | 8 | 0 | 7 | 4 | 0 | 11 |