Unprotected database belonging to mattress company exposes over 387000 customer records

• The exposed data includes customers’ names, phone numbers, emails, home addresses, and billing addresses.
• Customers’ system information such as IP addresses, Ports, Pathways, storage info including login credentials with hashed passwords were also exposed.

What happened?

Researchers from Security Discovery uncovered a database belonging to Verlo Mattress Factory that was left unprotected without any authentication.

What information was involved?

The unprotected database contained 387,604 records of customer data.

• The exposed data includes customers’ names, phone numbers, emails, home addresses, and billing addresses.
• Customers’ system information such as IP addresses, Ports, Pathways, storage info including login credentials with hashed passwords were also exposed.
• However, no credit card information or payment details were involved in the data leak.

The big picture

A security researcher from Security Discovery named Jeremiah Fowler uncovered the leaky database on September 05, 2019. The database contained a folder named “Customers”. Every file contained in the folder referred to Verlo Mattress Factory. Upon further investigation, the researcher noted that this could be a franchise or a single location.

Upon discovery, the researcher made multiple attempts to notify Verlo Mattress Company about the data leak but did not hear back from the company. However, the researcher noted that the database was taken down soon after the first notification was sent to the company.

“It is unclear how long the data was exposed or who else may have gained access to it before I responsibly disclosed my discovery to the Verlo Mattress Company. It is also unclear if the affected customers or the authorities were notified,” the researcher said in a blog.