Hobby Lobby Exposes Customer Data in Cloud Misconfiguration

by | Mar 24, 2021

hobby lobby cloud expose customer data

Post Views: 553

style="display:block" data-ad-client="ca-pub-6620833063853657" data-ad-slot="8337846400" data-ad-format="auto" data-full-width-responsive="true">
 
 
 

 

 

Reading Time: 1 Minute

 

Arts-and-crafts retailer Hobby Lobby has suffered a cloud-bucket misconfiguration, exposing a raft of customer information, according to a report.

 

 
 
 

 

 

 

An independent security researcher who goes by the handle “Boogeyman” uncovered the issue and reported it to Motherboard in an online chat, according to a Vice writeup.

The researcher said that customer names, partial payment-card details, phone numbers, and physical and email addresses were all caught up in the leak – along with source code for the company’s app, and employee names and email addresses.

Boogeyman offered screenshots verifying the exposure of the data, which totaled 138GB and impacted around 300,000 customers. It was housed in an Amazon Web Services (AWS) cloud database that was misconfigured to be publicly accessible. The issue is now resolved, but it’s unclear if any malicious actors tapped the information before the database was secure.

 

 

See Also: Adobe Fixes Critical ColdFusion Flaw in Emergency Update

 

 

 

 

“We identified the access control involved and have taken steps to secure the system,” Hobby Lobby told Motherboard. Threatpost has reached out to Hobby Lobby to independently confirm the issue.

 

Cloud Misconfigurations: A Cyberthreat Attack Vector

 

Cloud misconfigurations are a common threat vector for organizations of all sizes. For instance, an analysis last fall found that 6 percent of all Google Cloud buckets are misconfigured and left open to the public internet, for anyone to access their contents.

“The Hobby Lobby incident is the latest example of why we need to take public cloud threat vectors so seriously,” said Douglas Murray, CEO at Valtix, told Threatpost. “In 2020, spend in public cloud exceeded spend in on-prem data centers for the first time. The hackers are doing their own version of ‘lift and shift’ and are aggressively moving to where the market is going. Just as concerning is that for every Hobby Lobby like leak that we learn about, there is another that goes undetected.”

Hank Schless, senior manager of security solutions at Lookout, noted that such misconfigurations are easy to do.

 

See Also: Offensive Security Tool: Skipfish

 
 
 
 

“Misconfigured cloud resources are frequently the cause of data breaches like this one,” he told Threatpost. “Organizations that have transitioned to the cloud have massive infrastructure that spans thousands of host servers and other services. Amazon’s S3 service is the base data storage offering for AWS, which means it’s simple to set up and integrate S3 buckets into cloud infrastructure. Unfortunately, that simplicity they offer and the speed at which organizations scale these services up and down oftentimes means the configuration of these buckets is overlooked and the data inside is left exposed.”

He added to mitigate the risk of a breach, organizations need to be sure they secure every aspect of their infrastructure from the individual endpoint all the way up to the cloud service itself.

 

 

See Also: Hacking Stories: Albert Gonzalez & the ‘Get Rich or Die Trying’ Crew who stole 130 million credit-card numbers

 

 

“Advanced cloud access security broker (CASB) technology helps secure access to these resources,” he said. “Coupling CASB with a security posture management tool ensures secure access and configuration of cloud infrastructure. Cloud providers offer countless supporting services and integrations that help teams build a well-architected infrastructure. Leveraging these services should be done in tandem with security teams to ensure there aren’t any misconfigurations that leave data exposed or violate compliance policies.”

 

 

 

 

Source: https://threatpost.com

 

 
(Click Link)

 

 

style="display:block" data-ad-client="ca-pub-6620833063853657" data-ad-slot="8337846400" data-ad-format="auto" data-full-width-responsive="true">

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This