Ecco, a shoe manufacturer, has been running a poorly setup database for over a year, leaving a trove of private information accessible to anybody with the means to access it.

According to the findings of a new analysis, an Ecco research team has publicly disclosed 50 of their indexes. Since June of 2021, the database has included over 60GB of potentially sensitive information.

From sales records to computer system data, millions of critical papers were exposed. It was possible for anybody with access to see, change, copy, steal, or delete the material, the researchers claimed.

Requests to APIs

Ecco stepped in to fix the situation in the meanwhile, but they declined to respond to Cybernews’ investigation. The researchers reported that the database seemed to be closed.

The research team discovered an exposed instance running Kibana, an ElasticSearch visualisation interface, for Ecco during a web-wide scan for vulnerable databases. According to the study authors, Kibana is essential in processing data retrieved from ElasticSearch.

HTTP authentication was set up to protect the dashboard instance, however the server was(mis)configured to let API calls through. The researchers used this flaw to check up the names of Ecco’s ElasticSearch indices and discovered 50 indexed tables containing more than 60GB of data.

Researchers said the data included sensitive information ranging from sales and marketing to logging and system details. More than 300,000 documents are indexed in the sales org index. Over 820,000 items were located in a directory named market specific quality dashboard.

They went on to claim that the database may be used for phishing campaigns, identity theft (opens in new tab), or tricking individuals into executing malware and ransomware in a variety of ways, including via changes to the visible code, nomenclature, and URLs.

The database is not for a regional office of Ecco but rather the international one found at ecco.com. If a skilled hacker gained access to the data, he or she would have a powerful weapon with which to launch a worldwide assault on the firm. People who shop at Ecco shops, the staff there, and the consumers they serve.