vpnMentor researchers discovered an unsecured server belonging to the Chinese e-store LightInTheBox.com containing 1.3TB of web server logs.

Infosec researchers have uncovered an unsecured Elasticsearch database containing 1.3TB of web server log entries held by Chinese e-commerce website LightInTheBox.com.

LightInTheBox is a Chinese online retailer trading on the New York Stock Exchange, most of its customers are in North America and Europe. LightInTheBox focuses on the sale of gadgets, clothing and small accessories.

LightInTheBox is generating over 12 million monthly visitors on its website, along with several smaller subsidiary companies.

The data leak was discovered by VPNmentor in late November, data in the archive was “unsecured and unencrypted”, and accessible from anyone via a web browser.

“Led by cybersecurity analysts Noam Rotem and Ran Locar, vpnMentor’s research team discovered a leak in a database belonging to the online retailer LightInTheBox.” reads the post published by vpnMentor.

“A massive database, it contained over 1 terabyte of daily logs and compromised the security of LightInTheBox customers across the globe.”

The unsecured Elasticsearch installs contained over 1.3 TB of data, totaling over 1.5 billion records, it also included data from their subsidiary sites such as MiniInTheBox.com.

vpnMentor researchers pointed out that the security measures implemented by the retailer were insufficient.

The web server log contained activities related to the site dating from 9th of August 2019 to 11th of October.

Exposed data included email addresses, IP addresses, countries of residence and pages each visitor visited on LightInTheBox’s website.

Code snippets show how 3 separate email addresses were exposed

Experts warn of possible phishing attacks that could be launched by crooks that had access to users’ email addresses and their browsing history.

Below the timeline of the discovery:

Date discovered: 20/11

Date vendors contacted: 24/11

24/11 Date of Action: Approx. 24/11/19

“This data breach represents a major lapse in LighInTheBox’s data security. While this data leak doesn’t expose critical user data, some basic security measures were not taken. This is a time of the year with a lot of online shopping: Black Friday, Cyber Monday, Christmas. Even a large leak with no user Personally Identifiable Information data could be a threat to both the company and its customers. concludes the post.

“By exposing their data, LightInTheBox risks further loss of business that could negatively impact future revenues.”

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)