The target: Bergen Logistics, a U.S based fulfillment provider.
The take: Personally Identifiable Information including: names, sur names, city, zip code, addresses, order numbers, email addresses, plain-text passwords to customer accounts.
The attack vector: An unsecured Elasticsearch database server was left online, meaning anyone with an internet connection was able to connect and download the data.
The exposure of personal information can lead to highly targeted phishing and fraud attacks. More critical was how this firm stored their customer account passwords in plain text on the server with no encryption or protections. Ensuring credentials are adequately and appropriately protected through encryption is an integral part of maintaining a robust cybersecurity posture.