In February, researchers at SafetyDetectives disclosed a data breach impacting French e-commerce platform Melijoe. According to investigators, the high-end children’s fashion retailer failed to secure an Amazon S3 bucket, exposing approximately 2 million files, weighing in at 200GB.
What was exposed?
Upon access, researchers were able to view tens of thousands of logs containing sensitive data and personally identifiable information (PII) of around 200,000 Melijoe shoppers from France, Germany, the UK, the US and Russia. The leaked data included:
· Preferences data sets exposing email addresses, children’s names, genders, date of birth and brand preferences
· Wishlists data sets exposing over 63,000 unique email addresses, date products were added to wishlists, date of any removed products and item codes
· Purchase data sets exposing over 150,000 unique email addresses and purchase information such as ordered items’ SKU code, time of placed order, prices and currencies, payment methods, delivery addresses, date of delivery and billing addresses with full names and phone numbers
“Purchases data seemingly affected the largest number of users compared to the other two datasets,” investigators said.
“These logs extensively detail the purchasing behavior of Melijoe customers. Again, this reveals private information which could be used against consumers. Some customers purchased a large number of products, while other customers bought just one or two items. As with wishlists, customers who ordered more items had more information exposed about their favored products.”
Breach timeline and impact
Investigators said they discovered the misconfigured server on Nov. 12, 2021. After failing to reach melijoe.com several times, the team contacted the French Computer Emergency Response Team (CERT) and AWS to disclose their findings.
The Amazon S3 bucket was secured on Feb. 18, 2022. Although SafetyDetectives could not confirm if any malicious actors had accessed the files before Feb.18, customers are advised to be wary of phishing attacks mimicking official Melijoe correspondence.
“Hackers could reference any one of several exposed details to build a narrative around the email,” the investigators added. “For example, the hacker could reference a person’s preferences/wishlist to convince the customer they’re being offered a deal. The hacker may convince the victim to disclose their credit card credentials, for example, or click on a malicious link. Once clicked, such links can download malware onto the victim’s device—malicious software that allows hackers to conduct other forms of data collection and cybercrime.”
Check now if your personal information was stolen or made public online with Bitdefender’s Digital Identity Protection service. The tool helps prioritize your digital safety, offering a complete view of your online presence, data breach exposure and privacy risks.
In addition to a full mapping of your digital footprint – including publicly available data (email address, phone numbers, links to your social media accounts) – you also benefit from ongoing breach monitoring, a bunch of educational materials, and concise one-click action items to secure any privacy loopholes.