Poorly Configured Server Exposes International Fitness Retailer's API Data

The cybersecurity research team at vpnMentor has discovered a security issue that left exposed over 123 million records containing personal information belonging to the customers of an international fitness retailer. Decathlon, a sporting goods retailer based in France, operated the ElasticSearch server at the center of the debacle.

Noam Rotem and Ran Locar, lead researchers for vpnMentor, discovered the vulnerability earlier this month. Their published findings note that Decathlon’s servers lacked even the most basic security, allowing attackers to easily access employee usernames, unencrypted passwords, API logs, API usernames, and more. This exposure of API credentials is especially concerning, with vpnMentor noting that:

“The company is not one to shy away from making technological advances, introducing in-store mobile checkouts and inventory robots. However, these API-enabled tech systems are a soft spot for vulnerabilities, particularly when the correlating databases are not properly secured.”

vpnMentor states that they notified Dethalon of the issue on February 16th, 2020 and that the database was taken down the next day. As usual, it is impossible to know how much of the data was exposed to bad actors before it was taken down. 

Be sure to read the next API Strategy article: Twitter's New Dev Policy Embraces Research and Trustworthy Bots