The data leak was discovered by VPNmentor in late November, data in the archive
“A massive database, it contained over 1 terabyte of daily logs and compromised the security of LightInTheBox customers across the globe.”
The unsecured Elasticsearch installs contained over 1.3 TB of data, totaling over 1.5 billion records, it also included data from their subsidiary sites such as MiniInTheBox.com.
vpnMentor researchers pointed out that the security measures implemented by the retailer were insufficient.
The web server log contained activities related to the site dating from 9th of August 2019 to 11th of October.
Exposed data included email addresses, IP addresses, countries of residence and pages each visitor visited on LightInTheBox’s website.
Experts warn of possible phishing attacks that could be launched by crooks that had access to users’ email addresses and their browsing history.
Below the timeline of the discovery:
“This data breach represents a major lapse in LighInTheBox’s data security. While this data leak doesn’t expose critical user data, some basic security measures were not taken. This is a time of the year with a lot of online shopping: Black Friday, Cyber Monday, Christmas. Even a large leak with no
“By exposing their data, LightInTheBox risks further loss of business that could negatively impact future revenues.”
(SecurityAffairs – Iran, hacking)