French sporting goods manufacturer Decathlon has suffered a huge breach, which has seen millions of customer records exposed.
According to Computer Weekly, the breach was caused by a misconfigured cloud service and a total of 123 million records were exposed.
The data exposed includes customer usernames, passwords (unencrypted), API logs, API usernames and passwords (also unencrypted), as well as private IP addresses, login attempts and API details.
The database also contained staff names, nationalities, birthdays, phone numbers, addresses, education details, qualifications and contract information.
“The leaked database contains a veritable treasure trove of employee data and more,” said the researchers who uncovered the breach.
“It has everything a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information.”
Decathlon was notified of the mishap on February 16 and the leak was plugged the following day. But, despite the firm's quick response, it's possible hackers could use the exposed data to conduct business email compromise (BEC) or phishing attacks going forward.
“Decathlon could easily have avoided this leak if they had taken some basic security measures to protect the database,” the researchers said.
“These include, but are not limited to: secure your servers, implement proper access rules, and never leave a system that doesn’t require authentication open to the internet.”