Mattress Company Leaks Data Records of 387K Customers

A database lacking password protection exposed sensitive data of customers of Milwaukee-based mattress company Verlo Mattress.

A Wisconsin mattress company leaked the records of 387,000 customers online in a database that lacked password protection, a security researcher has found. The incident once again demonstrates the potential security consequences of failing to take even the simplest security measures to protect company data.

Jeremiah Fowler, cyber security researcher and tech analyst at, said he discovered the online database called “Customers” on Sept. 5. Further investigation found that every file contained references to Verlo Mattress Factory and “appeared to be customer data,” he said in a blog post about the incident on Thursday.

The database set—which contains 387,604 records with names, phone numbers, emails, home addresses and billing addresses–was open and visible in any browser for anyone to edit, download or even delete data without administrative credentials, according to Fowler.

Data found in the files also included login credentials with hashed passwords for internal users as well as IP addresses, ports, pathways and storage info that could allow potential cybercriminals deeper access to other network resources, he said.

While the files seemed to be from a single store, referencing “Customers—VMFS of Greenfield,” a town in Wisconsin where Verlo has a franchise, Fowler discovered that it’s likely the exposure was wider than that. That’s because a press release the company posted on its website in May 2018 referred to the creation of a “whole ecosystem of technology” across its 37 corporate and franchise locations, he said.

“This exposed database allowed anyone with an internet connection to see what type of data is being stored and collected in Verlo’s ‘ecosystem of technology,'” Fowler wrote.

Fowler said he made “multiple attempts” to contact Verlo Mattress for comments without reply or acknowledgement. However, his access to the database was restricted “soon after” the first notification, he said. The company is owned by Marcus Investments, with a corporate office in Milwaukee.

“It would have been nice to know if this was indeed a single franchise dataset or more?” Fowler wrote in the post. “Who managed it? Was it the corporate office or the franchise that was responsible?”

Even in this era of heightened security awareness, leaving databases and servers unprotected and vulnerable to intrusion online remains a leading cause of data exposure and a thorn in the side of consumer privacy. It also can make millions of unsuspecting people potential targets of cybercrime.

The latter was the case earlier this month, when cosmetics giant Yves Rocher exposed the personal data of millions of its customers and reams of sensitive internal company information to the public because of an online server left unprotected by a third-party consultant to the firm.

The situation at this point is so critical that data breaches have become an inevitable reality of doing business and are nearly impossible to avoid, according to Fowler.

“In today’s world, it is not if a data breach will happen, it is a matter of when the data breach will happen,” he wrote. Because of this, Fowler stressed that the best organizations can do is to have a solid mitigation plan to confront such scenarios for quick remediation.

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.

Suggested articles