Indian startup -LensKart leaked the personal information of 7 million customers and several staff members.

Misconfigured Lenskart S3 Bucket Leaking Sensitive User & Staff.

Lenskart now ships over 10 million pairs of eyewear every year and has over 20 million app downloads, besides over 1,200 stores across India, Singapore, and Dubai.

Introduction:

In this blog post, we will discuss a recent incident involving a misconfigured Amazon S3 bucket that resulted in the exposure of personal identification information (PII) data. This type of data leak can have serious consequences for both individuals and organizations, and it is important for companies to be aware of the potential risks and take steps to prevent them.

Description:

The incident occurred when a startup left an S3 bucket containing PII data publicly accessible, allowing anyone to access and download the information. This type of misconfiguration is a common problem and can be easily avoided by following best practices and setting appropriate permissions on S3 buckets. In this case, the bucket was not protected by a password or other authentication method, and anyone with the link could view and download the data.

Impact:

The impact of this incident can be significant for both the individuals whose PII was exposed and the startup itself.

It was possible to download invoice with all kind of data like address, mobile number, invoice details. Scary !

It is important for companies to be aware of their responsibility to protect sensitive data and to take steps to prevent data leaks like this from occurring.

• Leaking Customer Prescription Data
• Leaking Internal Images
• Leaking Staff Images
• Leaking PII data (Mobile Number, Address in the Invoices, document, etc) of all the customers

S3 Bucket: qxx-xxxxxxk

S3 URL: https://qxx-xxxxxxxxk.s3.ap-southeast-1.amazonaws.com/

Severity: Critical

Steps To Reproduce:

aws s3 ls s3://qxx-xxxxxxxxk

aws s3 ls s3://qxx-xxxxxxxxk/doc/

aws s3 ls s3://qxx-xxxxxxxxk/testimonials/

Note: No data persist on the system at the time of reporting the issue.

Reached out to security@lenskart.com but no response, after 90 days reached out to cert and issue got fixed. However no response was received from Lenskart.