Ecco, a globally known manufacturer and retailer of shoes, accidentally exposed millions of documents on the net.

This means that not only could anyone have changed the data, but the severity of the server misconfiguration likely exposed the company to an attack that could have affected customers around the world.

How did this “leakage” of Ecco data come about?

“It’s no use carrying an umbrella if your shoes are leaking“, says an old Irish proverb; words that sum up the recent situation of Ecco, a Danish shoe manufacturer and retailer with thousands of shops and outlets all over the planet.

The Cybernews research team has discovered an exposed instance hosting a set of data for Ecco: it turned out that the Danish company had 50 indexes left publicly exposed, with over 60GB of data accessible as of June 2021 (meaning that anyone could access them, even without login and password to understand).

As a result, millions of sensitive documents were accessible, from sales to system information, so anyone with access could have viewed, modified, copied and stolen or deleted the data.

The Cybernews team later contacted the Danish shoe company, although Ecco did not respond to Cybernews, the issue appears to have resolved itself shortly after.

What happened then?

cybernews cybersecurity research team recently discovered an exposed instance that it hosts Kibana, an ElasticSearch visualization dashboard, for the Danish shoe company; Kibana enables information processing on ElasticSearch, a storage facility widely used by companies that manage large amounts of data.

Even though the instance hosting the dashboard was secured with basic HTTP (Hypertext Transfer Protocol) authentication (HTTP is “old” and this protocol is constantly evolving), the server was configured incorrectly and was allowing of all API (Application Programming Interface) requests.

Misconfigured authentication allowed researchers to search index names on Ecco’s ElasticSearch, revealing 50 exposed indexes with over 60GB of data; the exposed servers contain documents ranging from sales and marketing to registration and system information.

According to the Cybernews team, historical data indicates that the exposed database has been accessible for at least 506 days (nearly a year and a half) since June 4, 2021, and that more than 35GB of data has been added to the exposed database after the Server misconfiguration has opened a security hole in Ecco’s infrastructure.

“A threat actor [informatiche] could change visible code, naming and phishing URLs or make victims or employees install unwanted files, such as ransomware activators or remote access tools on their browsers and devices, causing immense damage“, was stated by the Cybernews team.

Index names on the plaintext server show that literally millions of documents were disclosed, for example, a directory named sales_org contained over 300,000 documents, while another directory, titled market_specific_quality_dashboard, contained over 820,000 records.

As the table with exposed indexes shows, millions of documents were accessible covering various aspects of the company life of Ecco, from monitoring the performance of the company and employees, as well as customers, to information on the status of the system.

Also, unfortunately the database appears to be linked to the website here.comlikely used by the Danish shoe company’s international websites, thus providing skilled hackers with the means to target the company globally.

According to the researchers, being able to modify the data within ElasticSearch would be a very dangerous possibility in the wrong hands, allowing bad actors to launch attacks against Ecco’s stores, employees and even customers themselves.

The misconfiguration discovered by the cybernews team is particularly dangerous, since Ecco’s server is protected with HTTP authorization, the company’s security may consider it “safe”, allowing the problem to continue for a long time.

Cybernews researchers say that organizations should review their security policies and access their databases and servers more often, making sure there are no problems, debugging the code on time.

“Pre-configured servers that have worked fine in the past may have new versions of dependencies, leading to new security issues if left unchecked. Even when everything looks safe, you still need to treat it as unsafe, for example by sanitizing all input [ossia controllando che non si possa accedere se non tramite autorizzazione, in sostanza]the researchers said.

While it’s impossible to know whether malicious actors actually took advantage of the Ecco leak, users are advised to keep an eye on content emanating from the Danish company to avoid malicious phishing attempts.

A password manager with two-factor authentication is also suggested, to evade possible attacks.