LightInTheBox Data Breach - Popular global retailer leaks 1.3TB of customer data (1.5 billion records)
December 2019 by VPNMentor
Led by cybersecurity analysts Noam Rotem and Ran Locar, vpnMentor’s research team discovered a leak in a database belonging to the online retailer LightInTheBox.
A massive database, it contained over 1 terabyte of daily logs and compromised the security of LightInTheBox customers across the globe.
Not only is this a major breach in LightInTheBox’s data security protocols, but it also creates real dangers for those affected.
LightInTheBox Company Profile
LightInTheBox is an online retailer based in Beijing, China and trading on the New York Stock Exchange as LITB. Founded in 2007, LightInTheBox ships internationally, with most of its customers in North America and Europe. The company focuses on three core retail categories: apparel, small accessories and gadgets, and home and garden.
LightInTheBox is a huge business, generating over 12 million monthly visitors on its flagship website, along with several smaller subsidiary companies.
Timeline of Discovery and Owner Reaction
Sometimes, the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.
Understanding a breach and what’s at stake takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research or playing down its impact. So, we need to be thorough and make sure everything we find is correct and true.
In this case, after identifying LightInTheBox as the database’s owner, we contacted them to present our findings. While we didn’t receive a reply from the company, the database breach was closed shortly after.
● Date discovered: 20/11
● Date vendors contacted: 24/11
● Date of Action: Approx. 24/11/19
Example of Entries in the Database
LightInTheBox does not provide specific details about their data security and storage practices or the measures they take to protect customers’ data.
“...administrative procedures to safeguard the confidentiality of your personal information, such as:
* Safeguarding all financial transactions done through this Site with Secure Sockets Layer ("SSL") encryption
* Granting only employees who are providing a specific service access to your personal information
* Working only with third-party service providers who we believe adequately secure all computer hardware.
While our business is designed with safeguarding your personal information in mind, please remember that 100% security does not presently exist anywhere, online or offline.”
Based on our team’s discovery, the measures they were taking were insufficient. The breached database contained over 1.3 TB of data, totaling over 1.5 billion records.
The database was a web server log - a history of page requests and user activity on the site dating from 9th of August 2019 to 11th of October.
Aside from LightInTheBox.com, it also contained data from their subsidiary sites, including MiniInTheBox.com.
The data breach affected customers around the world, with entries from many of their international sites, and in numerous languages.
Through the web server logs stored on the database, we viewed private personal user data that included:
● Users’ IP addresses
● Countries of residence
● Email addresses
● Destination pages and user activity on the website
The following code snippets show how 3 separate email addresses were exposed:
The database also included data from LightInTheBox’s Google & Bing Ads advertising campaigns.
Data Breach Impact
This data breach represents a major lapse in LighIinTheBox’s data security. While this data leak doesn’t expose critical user data, some basic security measures were not taken. This is a time of the year with a lot of online shopping: Black Friday, Cyber Monday, Christmas. Even a large leak with no user Personally Identifiable Information data could be a threat to both the company and its customers.
LightInTheBox risks losing business at a crucial time if customers don’t feel they can trust the company to keep their data private.
Based on LightInTheBox’s user reviews on Trustpilot, many customers are already unhappy with their experiences on the website. By exposing their data, LightInTheBox risks further loss of business that could negatively impact future revenues.
For LightInTheBox customers
The exposed data makes those affected vulnerable to many forms of fraud and online attacks. With access to user emails, cybercriminals could create convincing phishing campaigns with emails imitating LightInTheBox.
With these emails, victims could be tricked into any of the following:
● Clicking a link that embeds malicious software on their device
● Revealing sensitive financial or personal information
● Providing login credentials for private online accounts
The impact on a victim could be devastating.
There is also a physical danger. With a website user’s IP address, we were able to identify their city of residence. If a criminal hacker had access to this, along with the other data exposed, they could trick a victim into revealing their home address, and target them for theft and home robbery.
The following example shows some of the additional information that can be found using someone’s IP address:
Worst of all, this data breach happened in the lead up to Christmas, when many people will be stocking up on presents, and potentially buying them from LightInTheBox.
Advice from the Experts
LightInTheBox could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to:
1. Secure your servers.
2. Implement proper access rules.
3. Never leave a system that doesn’t require authentication open to the internet.
Any company can replicate the same steps, no matter its size.