loader gif

Unprotected Elasticsearch database belonging to DK-Lok exposes private and confidential emails

Unprotected Elasticsearch database belonging to DK-Lok exposes private and confidential emails
  • The exposed emails were related to DK-Lok’s operations, products, and clients including e-commerce order notes, newsletters, product bids, quotes, travel details, and private conversations.
  • The data leak has not only impacted DK-Lok but also its clients across various countries including the US, South Korea, New Zealand, South Africa, Australia, Iran, Germany, Russia, and France among others.

What is the issue?

Security researchers from vpnMentor, Noam Rotem and Ran Locar discovered an Elasticsearch database belonging to DK-Lok, that was left publicly available without any authentication.

DK-Lok is a supplier of tube fittings, valves, manifolds, gauges and other products used in various industries.

What was exposed?

  • The leaky database exposed DK-Lok's internal and external communication records including emails sent between staff and their clients.
  • Some of the exposed email records were marked as “private” and “confidential”.
  • The exposed emails were related to DK-Lok’s operations, products, and clients including e-commerce order notes, newsletters, product bids, quotes, travel details, and private conversations.
  • Apart from emails, the personal information of staff and clients such as names of employees and clients, their email addresses, employee/user IDs, and phone numbers were also exposed.
  • The personal emails received by employees on their work email addresses were also exposed. (Alibaba orders, newsletters, Starwood hotels, spam/junk mail for viagra and hair growth products)

Who was impacted?

  • The data leak has not only impacted DK-Lok but also its clients across various countries including the US, South Korea, New Zealand, South Africa, Australia, Iran, Germany, Russia, and France among others.
  • At least 1,500 “.co.uk” email addresses were leaked, indicating that UK companies were also impacted.

“This leak doesn’t just compromise the security and privacy of DKLOK, but also its clients. Confidential discussions of a highly sensitive nature have been made public in this leak. They give a great deal of insight into DKLOK’s business around the world and compromise the privacy of DKLOK clients,” researchers said.

How was the database discovered?

Researchers uncovered the leaky database during vpnMentor’s web mapping project, in which port scanning was used to find unprotected online systems. The open database was uncovered by the researchers through a vulnerability in a peripheral system linked to DK-Lok’s email hosting service, which has left its entire email database unsecured.

Upon discovery, the researchers reached out to DK-Lok on August 21, 2019, to notify them about the open database. Numerous attempts were made over phone calls and emails, however, DK-Lok did not respond back.

loader gif