On March 3rd, 2021 I discovered a non-password protected Elasticsearch database that contained just under a million records. The exposed records were labeled as “Production” and contained customer names, phone, physical addresses and more. The monitoring and file logs exposed many internal records that should not have been publicly accessible.
There were multiple references to Office Depot in a large sampling of the records. We immediately sent a responsible disclosure to Office Depot and the database was secured within hours. On March 5th we received a reply from a team member with the Security Operations team at Office Depot Europe thanking us for the notification and raising awareness to the data exposure.
This leak could have provided enough information for cyber criminals to target customers with a social engineering attack or try to gain access to the accounts.
Check out the full summary of the discovery here: Office Depot Data Leak