- 300,000 emails from EnamelPin, owner of gs-jj.com, exposed online
- Many originate from .gov or .mil sources, which are used by military or government workers
- The leak exposed the sites links to China
Researchers at Cybernews recently discovered over 300,000 emails from EnamelPin customers were exposed for months thanks to an open Elasticsearch instance.
EnamelPin Inc is the owner of popular gift site gs-jj.com, which sells medals, lapel pins, emblems, and more.
The leaked emails contained personal information such as full names and email addresses, around 2,500 were from .gov and .mil domains. The site is unsurprisingly popular amongst US government officials and military officers, who had ordered products such as coins, patches, and medals.
National Security Concerns
“The emails and attachments exposed sensitive information about high-ranking military officials. They could be used to determine their position in certain Army units, phone numbers, email addresses, and shipping addresses,” Cybernews researchers said.
Other security issues were discovered on the site, such as the exposure of hidden git repository configuration, folder, and file structure of the website.
The data was left exposed for months, according to researchers. The information was publicly accessible from April 22 until December 5, which left many customers at risk, particularly of identity theft.
Whilst EnamelPin Inc is registered in California and aimed at civilians, the leak exposed previous unknown links to China. Researchers found a publicly accessible Git configuration file which revealed the website’s source code repository is hosted on a Chinese server.
The company also has an ‘complete expert team in China’, long delivery times suggest overseas fulfilment, and the customer support team communicate in broken English.
“Due to the Chinese government’s broad powers to access data, it may be risky for US Government and Military officials to use Chinese services, especially in the official settings,” Cybernews added.
“This leak raises OPSEC concerns, as ordering patches, emblems, and other items can inadvertently expose ranks, divisions, and personal information.”