Personal data of Auchan, Your Home and Gloria Jeans clients leaked to the network

The hacker, who previously published the data of customers of Sberbank services, posted the customer bases of the Auchan and Tvoi Dom hypermarkets, as well as Gloria Jeans chains, containing names, phone numbers and delivery addresses. Researchers believe that a vulnerability in the system for creating web projects from the 1C-Bitrix developer, which at the end of May was subjected to a massive cyber attack, could become an entry point for an attacker. At the same time, experts emphasize that the vendor may have nothing to do with it: an update to fix the vulnerability has been available since last year, but not all customers have installed it.

Databases of customers of Auchan hypermarkets, Tvoy Dom hypermarkets (goods for repair and decoration, part of the Crocus Group), as well as the fashion retailer Gloria Jeans, began to spread on the network, researchers of the DLBI data leak intelligence and darknet monitoring service discovered. The Auchan and Gloria Jeans data are presented in text files (7.8 million and 3 million lines, respectively), the data of Your House are laid out as a dump of the user table (more than 713 thousand lines) from the content management system (CMS) “1C – Bitrix.

The Ausha and Gloria Jeans customer database contains the name and surname, phone number, e-mail address, and addresses for delivery and pickup of goods. In the base of the retailer “Your House” there is practically the same set of data, but without the actual addresses of users.

Auchan’s security service confirmed the leak and said it was conducting an internal investigation to “determine the attack vector and source.” Gloria Jeans checks if the data belongs to the buyers. The Crocus Group did not answer “Kommersant”.

The data was published by the same attacker who posted the data of users of Sber services (the bonus program SberSpasibo, SberPravo, etc., see below). “Kommersant” from March 9), say the DLBI. “The database is published in the Telegram channel belonging to the hacker, the data is open for public access, which indicates their uselessness for the hacker himself,” Ashot Oganesyan, founder of DLBI, explained to Kommersant. In his threats, the hacker writes that the databases of 12 large companies will be published in total, while nine victims are known.

DLBI believes that the 1C-Bitrix system could have become the source of the Your Home data leak, both through a vulnerability and by gaining access to a backup copy of the database server or to itself. According to the 1C-Bitrix website, the Tvoy Dom hypermarket is among the companies that have created a corporate website on the platform.

The researchers did not claim that 1C-Bitrix became the entry point in the case of Auchan, since the leak was posted in a different format. But “Kommersant” found on the developer’s website that his services were used by the charity project of the retailer Generation Auchan. In total, 1C-Bitrix has more than 180 thousand web projects. The Kommersant company itself did not respond.

Judging by the dates in the leaked databases, the hack took place in May, says Denis Kuvshinov, head of the cyberthreat research department at the Positive Technologies expert center: time and according to one scenario. At the same time, on May 26, all over Russia, sites running on an outdated version of the 1C-Bitrix CMS containing vulnerabilities were subjected to a massive attack, as a result of which several thousand resources were disabled, notes Mr. Kuvshinov.

Most of the hacks being discussed now use CMS vulnerabilities, updates for which have been available since March 2022, Sergey Gordeychik, CEO of Cyberok, emphasizes: “But for more than a year, the owners of information resources based on 1C-Bitrix have not installed updates. This indicates a low level of cybersecurity in organizations, and you should not blame the vendor for everything. ”

Tatyana Isakova