24 March 21, 13:28
Quote:Arts-and-crafts retailer Hobby Lobby has suffered a cloud-bucket misconfiguration, exposing a raft of customer information, according to a report.
An independent security researcher who goes by the handle “Boogeyman” uncovered the issue and reported it to Motherboard in an online chat, according to a Vice writeup.
The researcher said that customer names, partial payment-card details, phone numbers, and physical and email addresses were all caught up in the leak – along with source code for the company’s app, and employee names and email addresses.
Boogeyman offered screenshots verifying the exposure of the data, which totaled 138GB and impacted around 300,000 customers. It was housed in an Amazon Web Services (AWS) cloud database that was misconfigured to be publicly accessible. The issue is now resolved, but it’s unclear if any malicious actors tapped the information before the database was secure.
“We identified the access control involved and have taken steps to secure the system,” Hobby Lobby told Motherboard. Threatpost has reached out to Hobby Lobby to independently confirm the issue.
Read more: Hobby Lobby Exposes Customer Data in Cloud Misconfiguration | Threatpost