Decathlon Leaked Data Of Spanish Employees Exposing 123 Million Records

The giant sports goods retailer Decathlon now makes it to the news due to a security flaw. Researchers found a database exposing over 123 million records that belonged to Decathlon Group. Specifically, the database leaked explicit data of Decathlon Spain employees including their personal details and proprietary information.

Decathlon Data Leaked

Reportedly, the researcher duo from vpnMentor, Ran Locar and Noam Rotem, has found another treasure trove of data exposed online. Elaborating on the details in a blog post, the researchers revealed that they found an unsecured database belonging to Decathlon Spain.

The exposed treasure trove leaked data of Decathlon Spain employees. As stated in their post:

It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information.

In brief, the exposed data on an Elasticsearch server included over 123 million records. These records included employees’ personal details such as usernames, passwords, API logs, API usernames and unencrypted passwords, detailed PII data of the employees, employment contract details, and work email addresses. Moreover, it even included unencrypted customer login information and private IP address.

Such overt details, according to the researchers, could facilitate criminals in conducting phishing attacks, corporate espionage, identity theft as well as physical threats.

Database Now Offline

The researchers found the exposed database on February 12, 2020. After investigating for four days, they found that the database belonged to Decathlon Spain, and possibly, to Decathlon UK too.

They then notified the firm about the breach on February 16, 2020, who closed the database the very next day. It means, for now, the threat is over. The researchers advise users to contact Decathlon and enquire about the incident to assess their data security.

Let us know your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil