Dodo Point records have exposed over one million customer records online. The data was stored in an unencrypted bucket accessible without any form of authentication.
According to Website Planet’s security team, a recent incident affected the Dodo Point loyalty points service platform and resulted in a huge exposure of personal data.
Dodo Point is operated by Yanolja Cloud in South Korea. The service is based on user phone numbers. Customers enter their phone numbers in restaurants or stores via a tablet (Figure A) and are then credited with their rewards.
An Amazon bucket used by the company was not secure: no authentication protocol had been deployed and no data encryption had been used on the storage, leading to the exposure of approximately 73,000 files, representing more than 38 GB of data.
Amazon is not responsible for the misconfiguration of the Dodo Point bucket, as the security of a bucket is the responsibility of the Amazon customer.
SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
An investigation based on the number of customer records exposed in Excel files and accounting for duplicate entries led researchers to estimate that at least one million customer records were leaked in the breach.
According to the company’s website, huge multinational brands including Nike and Marriott use Dodo Point.
The exhibit contains names, dates of birth, gender, phone numbers, email addresses, stores visited, and possibly more (Figure B).
Less than 1,000 details of bank transfers and direct debits were also found in the database. All of this data could allow anyone to profile the habits of specific users.
Ineffective incident reporting
The researchers who found the hacked data first tried to contact Spoqa, a company that Dodo Point belonged to when the data was discovered. Having received no response, they contacted the Korean Computer Emergency Response Team. Again, they got no response. Researchers attempted to reach new contacts at Spoqa while disclosing the incident to Amazon Web Services, which did not respond.
Finally, Yanolja became the new owner of Dodo Point and could be reached. The company responded quickly to researchers, and two days later the Amazon bucket was secured.
Although the change in ownership of Dodo Point has probably made things more difficult, IT security incidents must always be dealt with, regardless of the context.
Similar exhibitions online
Website Planet researchers are conducting an extensive web mapping project. As part of this project, they use web scanners to identify insecure data stores on the Internet before analyzing and reporting these stores to relevant companies to secure them and raise awareness of the dangers of such exposures.
Recently, TechRepublic wrote about thousands of insecure and exposed Elasticsearch databases being held for ransom.
In 2017, 27,000 MongoDB servers were affected by a similar attack. In 2018, an unsecured database owned by an e-marketing company exposed 11 million records.
Such exposures are quite common and it is not difficult for an attacker to use online scanning tools to search such databases and discover exposed data that is neither encrypted nor protected by an encryption process. authentication.
These data exposures can lead to the exploitation of personal data for cybercrime purposes: an attacker can impersonate an individual or use their information to target them with specific phishing or social engineering tricks. Some threat actors may also collect information that can be used for cyber espionage purposes.
How to improve incident reporting speed
The case presented here shows once again that incident management can only be effective when researchers are immediately able to reach the right people in an organization. With people changing jobs, it can be difficult to reach someone when needed, but there are solutions.
Using an email address dedicated to security concerns might be the best solution. In April 2022, the Internet Engineering Task Force published its RFC 9116, which urges companies to use a file named security.txt that would be stored in clear text and accessible via the World Wide Web for anyone at the root of every website. , or in a folder named .well-known.
Google, Meta, and GitHub already use this file to provide security contacts to any researcher who would like to contact them to report a security issue. The security.txt site offers to help companies generate their security.txt file and provides more information about the project.
How to protect yourself from such a threat
Companies should never expose databases to the Internet unless strictly necessary. If necessary, secure authentication mechanisms such as multi-factor authentication should be deployed.
Role-based access controls should be defined and appropriate privileges assigned to each user. The data stored in these databases must be encrypted so that even if an attacker manages to access the data, it can be useless to them.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.