Jewellery Site Leaks Personal Data of 1.3 Million Customers

Jewellery company MBM Company Inc. which sells the trinkets in both Canada and the US has had 1.3 million accounts leak online.

There hasn’t been much in the way of new blockbuster data leaks this month. Unfortunately, that has now changed. According to The Next Web, security researchers stumbled across a database which contained the passwords and personal information of 1.3 million accounts. The data was found on an unprotected backup on Amazon S3 storage bucket. From the report:

According to Kromtech Security’s head of communications, Bob Diachenko, further analysis of the file revealed it held the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. He also claims the database contained plaintext passwords — which is a big security ‘no-no.’

In a press release, Diachenko said: “Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts.”

The backup file was named ‘MBMWEB_backup_2018_01_13_003008_2864410.bak,’ which suggests the file was created on January 13, 2018. It’s believed to contain current information about the company’s customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year.

Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company.

TNW spoke to Diachenko earlier today. When asked to put the severity of this incident into context, he said: “I consider it as a quite serious incident for a number of factors. First, [it has] a rather ‘easy-to-guess’ bucket name which opens a big possibility that somebody has already seen the data. With so many scanning tools available online, there is a big chance that this combination of a ‘big brand and common suffix’ S3 domain name has appeared on someone’s radar.”

The news comes as US lawmakers consider a bill that would make it easier for companies to not disclose data breaches and leaks to the public. The bill would compel smaller companies to disclose leaks and breaches only if there is evidence that the information is being misused. In this case, there is no evidence of that. As such, had this bill come into law and security researchers never found it, this disclosure would have never been made public.

This marks the first significant data breach of its size we’ve been made aware of this month.

Drew Wilson on Twitter: @icecube85 and Google+.


4 Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *