Camera gear and accessory retailer Peak Design recently suffered a colossal leak of roughly half a million customer records.
During a recent data migration of databases that weren’t protected by encryption of any kind, the retailer Peak Design managed to expose about a decade’s worth of client data publicly.
Because the data being migrated wasn’t protected by any kind of password or encryption, it got exposed and was unfortunately siphoned off.
The website Cybernews discovered this leak and published a report about it on June 4th. You can read that in detail here, and see the full summary of what happened and what Cybernews considers to be the cause.
Most importantly, Cybernews explains why it believes that malicious parties managed to at least see the leaked client data.
These customer records being briefly exposed would not by itself necessarily have been a major problem (except for what it might say about Peak Design’s digital security protocols).
Their exposure to hackers however could easily mean that they find their way into the hands of online fraudsters and data thieves.
As Cybernews explains,
“On March 25th, the Cybernews research team identified the leak and informed the company. While the data appeared on search engines on April 24th, the leaked support tickets span nearly a decade from June 2014 to May 2023, magnifying the scope of the leak,”
Cybernews also ominously adds, “Cybernews researchers found a ransom note on the company’s systems, indicating it was likely accessed by the threat actor at least once.”
Peak Design confirmed that the leak had happened and its CEO, Peter Dering stated to Petapixel,
“You support Peak Design with the confidence that we protect your privacy. We recently discovered and fixed a data compromise involving historical customer service tickets,”
The data leak includes customer support tickets from between October of 2013 to May of last year. Oops.
The leaked data fortunately doesn’t include credit card information, banking data or social security numbers according to Dering, but they do include customer names, email addresses, shipping information (physical addresses) and order details among other things like communication records of interactions with customers.
While the lack of passwords and banking or CC data is definitely a good thing, Dering might also be aware that hackers do value all of the information that was leaked too.
The reason why is that it can be used by them for all kinds of social engineering, spam and user hacking purposes.
As leaked information it’s nowhere near as valuable as raw financial data, but to online fraud practitioners, it’s far from worthless.
Peak Design itself claims that it doesn’t yet know of any cases of misuse with the leaked information. However, these sorts of leaks can take some time to percolate through the deeper internet.
The company also warned its clients,
“If you receive communication from or relating to Peak Design that seems suspicious, contact us at security@peakdesign.com. If you are concerned about identity theft and would like more information on ways to protect yourself, visit the Federal Trade Commission’s Identity Theft website.”
Peak Design managed to fumble its handling of this data trove when it failed to set a password on its Elasticsearch servers.
Cybernews elaborates,
“The data leak was caused by a publicly accessible Elasticsearch instance. Elasticsearch is an open-source search engine for searching and analyzing large amounts of data on websites or systems,”
In the first place, these servers aren’t supposed to be exposed to the public internet without special protection (such as a password at least).
However, in Peak Design’s case, the company migrated to a new customer service platform and in the process created an internal search engine for letting its agents search customer record quickly.
On March 11th, 2024, a private server hosting the searchable information was then accidentally made openly accessible without password protection.
This leak wasn’t detected by Peak Design though, and it wasn’t until April 11th that security researcher staff at Cybernews detected the breach and fixed it.
However, Dering did add that an “unauthorized third party” may have accessed the information on April 1st, though he claims that the company isn’t aware of any redistribution of the information.
This of course is an assumption and only time will soon tell if hackers accessed the data.
For now, if you’ve been a buyer from Peak Design, and especially if you bought anything from the site between late 2013 and early 2023, I’d suggest being very observant of any unusual emails.
Be particularly wary of messages or emails related to Peak Design, or simply any asking you for any personal information.
