- An unprotected Elasticsearch database belonging to AmazingCo contained 212,220 customer records and potential customer leads.
- The exposed records included user names, email addresses, phone number, internal notes, and other details.
AmazingCo, a company based in Melbourne, Australia had an unprotected Elasticsearch database that contained sensitive details of customers and possible leads. The publicly accessible database was discovered by security researcher Jeremiah Fowler. According to Fowler, a large portion of data was related to children’s entertainment and wine tours.
AmazingCo provides services such as hosting children’s parties, date nights and social experiences all around Australia, New Zealand, and in eight states in the US.
The big picture
- Fowler found out that the unprotected database had 212,220 records in total which included user names, email addresses, phone numbers, internal notes, and other details.
- A folder named “Customers” in the database contained 174,000 records. It was identified that a major chunk of this data was for ‘children’s entertainment and wine tours’.
- Detailed customer feedbacks and internal notes on specific events were also found in the database.
- On top of this, IP addresses, Ports, Pathways, and storage information were also recorded in the database.
Fowler indicated the internal notes on events had user reviews linked with personally identifiable data(PII). “A vast majority of the notes that I read were positive and praising the entertainers, tour guides, and experiences. The down side to this is that each of these were connected to the client’s real personally identifiable data and the files also included internal notes on the clients, their events and any challenges Amazingco’s staff experienced,” Fowler wrote in his blog.
Upon being notified about the exposed database, AmazingCo secured the database and its no longer publicly accessible. It is unknown how long these records were exposed online.