Wegmans Exposes Customer Data in Misconfigured Databases

Cleanup in aisle “Oops”: The supermarket chain said that it misconfigured two cloud databases, exposing customer data to public scrutiny.

Wegmans Food Markets, the U.S. supermarket chain, has notified customers that some of their data was exposed because two of its cloud-based databases were misconfigured, making them publicly accessible online.

In a publicly posted breach notification letter, Wegmans said that the issue was first brought to the company’s attention when a third-party security researcher pointed out the configuration problem. Then, “on or about” April 19, Wegmans confirmed the issue.

It’s not clear whether April 19 is when the issue was reported to Wegmans, when the databases were left open to public access, or whether that’s just when Wegmans confirmed that they were exposed. Likewise, it’s not clear whether or not customers’ data was left in open databases months or even years before it was reported and/or confirmed. Threatpost has contacted Wegmans for clarification.

“We recently became aware that, due to a previously undiscovered configuration issue, two of our cloud databases, which are used for business purposes and are meant to be kept internal to Wegmans, were inadvertently left open to potential outside access,” the letter stated.

The databases contained customer information including names, addresses, phone numbers, birth dates, Shoppers Club numbers, as well as e-mail addresses and passwords for access to Wegmans.com accounts. The company added that all of the affected account passwords were salted and hashed, meaning that the actual passwords were obscured, not viewable in the databases.

Wegmans’ letter said that the company “worked diligently” with a leading forensics firm to “investigate and determine the incident’s scope, identify the information in the two databases, ensure the integrity and security of our systems, and correct the issue.”

Neither Social Security numbers nor payment card or banking information were involved in the breach, the company said.

Hashed & Salted Passwords … For Whatever That’s Worth

Wegmans’ reassurance that the password data was hashed and salted is a good thing, but it’s not exactly a get-out-of-jail-free card.

A salt is a random string added to a password before it’s cryptographically hashed.

The salt isn’t a secret. It’s just there to make sure that two people with the same password get different hashes. That stops hackers from using rainbow tables of pre-computed hashes to crack passwords, and from cross-checking hash frequency against password popularity. (In a database of unsalted hashes, the hash that occurs most frequently is likely to be the hashed version of the notoriously popular “123456”, for example.)

But salting and hashing a password just once isn’t nearly enough. To stand up against a password-cracking attack, a password needs to be salted and hashed over and over again, many thousands of times.

Failing to do so “runs afoul of conventional data protection methods, and poses significant risks to the integrity [of] users’ sensitive data”, as a $5 million class action lawsuit against LinkedIn charged way back in 2012.

Chris Clements, VP of solutions architecture at Cerberus Sentinel, pointed out to Threatpost on Monday that hashes derived from passwords that are commonly used – such as that “123456” groaner, for example – are “trivially easy for attackers to crack using cheap off the shelf GPUs.”

Threatpost has reached out to Wegmans  for details on its salting and hashing procedures.

Breach Follows Credential-Stuffing Attack

Clements hypothesized that the databases misconfiguration issue and the resulting data exposure could be linked to a series of credential-stuffing attacks that Wegmans told customers about on March 31.

The misconfigured-databases issue is the second time in less than two months that somebody’s either accosted or been given the ability to potentially accost the data of the supermarket chain’s customers. BleepingComputer spotted a notification letter that Wegmans posted on March 31 in which Wegmans told customers that it had been subjected to credential-stuffing attacks in January, likely with credentials stolen from other online services. More than 2,700 accounts had been affected, the company said at the time.

“It is likely that your login credentials were taken from another source, for example, the compromise of another company or website, where you may have used the same or similar login credentials,” the company said in the letter.

“This is known as a ‘credential stuffing’ attack, which can occur when individuals use the same login credentials on multiple websites.”

Clements said via email that with the latest disclosure, “I can easily envision a scenario in which this new breach could have predated and in fact generated the credential-stuffing attack in March. It makes a lot of sense that an initial attacker noticed the unprotected data, cracked as many account passwords as they could, and then launched an attack to login to the cracked accounts and steal as much data as possible.”

Wegmans found out about the credential-stuffing attacks in mid-February. The company said that the attackers may have accessed names, phone numbers, addresses, dates of birth, and Wegmans Shoppers Club Numbers associated with the compromised Wegmans.com accounts.

Payment information wasn’t exposed in either the earlier credential-stuffing attack nor the recent breach, Wegmans said, noting that it doesn’t store such financial information on its servers. Instead, Wegmans only retains a token that’s linked to payment cards, leaving it up to its third-party payment card processor to retain payment card details. “This token cannot be used to make any purchases other than with Wegmans,” according to the breach notification letter. “Accordingly, your credit card information is not at risk because of this incident.”

Wegmans forced a password reset on all affected accounts to prevent the attackers from successfully logging in.

The supermarket chain also urged customers to change their passwords for their Wegmans.com accounts, and to change their passwords at any other online account where customers use the same credentials – i.e., the same email address and password. “You should not reuse passwords for different online or mobile accounts,” according to the letter, which also recommended that customers review their Wegmans.com account transaction histories for unauthorized charges.

During this more recent incident, Wegmans said that in spite of the passwords being hashed, it’s not a bad idea for customers to change their passwords this time, either. That goes for any account for which customers are reusing the same password, Wegmans advised, noting that “It is generally a good idea to use a unique password for each online account you may have.”

For what it’s worth, it’s also a good idea to avoid using passwords that are drop-dead simple to crack by dictionary attacks or simply by following the news of the day. That was demonstrated last week, when authentication firm Authlogics came out with a report that found that the word “football” popped up 353,993 times in its database of 1 billion unique, clear-text, breached passwords. It was the most popular word out of a raft of football-inspired weak passwords to crop up during he European soccer championship (a.k.a. the Euros).

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.

Suggested articles