At the time of publishing this article, the data was still exposed and growing as there has been no response from Hariexpress.
The Brazilian E-commerce Marketplace Integrator platform Hariexpress (Hariexpress.com.br) has been caught exposing a massive trove of sensitive data belonging to its customers and vendors.
In total, the company has exposed more than 610GB worth of data containing over 1.75 billion (1,751,023,279) records without any security authentication.
Launched in 2018; Hariexpress integrates eCommerce marketplaces into a single platform to automate processes across different online stores.
It is worth noting that this massive exposure has been caused by a misconfigured Elasticsearch server. This means anyone with knowledge of exploiting the misconfigured Elasticsearch servers can access these records without the need for login credentials.
The incident was originally identified by team cybersecurity researchers at Safety Detectives led by Anurag Sen. According to their blog post, the exposed records include information on both customers and vendors (businesses using the Hariexpress platform). For instance, when it comes to customers, the content of the exposed data includes:
Images Full names Usernames Email addresses Phone numbers Billing details including billing addresses.