Some of Decathlon’s employee data, stolen in a breach two years ago, has now ended up on the dark web, cybersecurity researchers say.
A blog post from vpnMentor revealed how someone posted a new thread on an online forum, with a database allegedly containing personally identifiable information (PII) of around 8,000 Decathlon employees.
The database, published on September 7, was 61 MB in size and apparently contained enough sensitive information to carry out a phishing campaign or identity theft: full names, usernames, phone numbers, email addresses, countries and cities of residence, authentication tokens, and photos .
Misconfigured databases
The data was collected in 2021. At that time, vpnMentor recalls, a technology and consulting company Bluenove partnered with Decathlon for its Vision 2030 campaign. Bluenove is a company working on ‘massive collective intelligence’, while Decathlon is a French sporting goods retailer. During the Vision 2030 campaign, Bluenove conducted a survey among Decathlon employees and customers.
It stored the data it generated in an Amazon Web Services (AW) S3 bucket, which was misconfigured. As a result, someone stole the data that was there before Bluenove could lock it in mid-April of that year.
Now, two years later, the data has surfaced and according to mentorVPN, there’s a good chance it’s legitimate. “While we no longer have the data samples from the original breach incident due to our retention policies, our report from before shows that the data shared in the hacker-posted sample is consistent with the data we found two years earlier,” wrote vpnMentor. in a blog post. “This confirms that the recently shared database is authentic.”
Bluenove acknowledged the existence of the data breach, the researchers said, adding that they are advising the consultancy on how to limit the damage. Although Decathlon and its employees are the real victims here, the company is not to blame and could not have done anything to prevent this, the researchers concluded.