in

1.1 Million People – Reebonz, Data Breach

22nd May 2020, TurgenSec Limited, Statement v0.75

On the 26th of May 2020 Reebonz contacted TurgenSec and informed us that the possible breach we have identified belongs to a test database with no genuine customer database inside.

Note: This statement will be updated with further information including the full data headings which will assist in assessing the severity of this breach.

Archive of statement updates

Summary

  • Our security researchers discovered a data breach containing the personal information of 1.1 million individuals including financial information.
  • We made efforts to identify the data controller and believe, with a high level of confidence, that this is Reebonz.
  • We made multiple, increasingly escalating attempts to contact those responsible for securing the data in order that they could close the data leak. 
  • Despite multiple attempts (as outlined in the Appendix), TurgenSec could not establish a secure communication channel with Reebonz.

Due to the sensitive nature of the data, which we judge to be of high risk to the rights of individuals involved, our number one priority is to close this security hole.

Summary of Breached Data

  • For 1.1 million ‘users’, the following personal and highly confidential information headers were present: 
    • UserID
    • Phone Number
    • Email (Hashed)
    • First Name
    • Last Name
    • Password (Hashed)
    • Password Token
    • Last Login
    • Timezone
    • Language
    • Gender
    • Sso Token
    • Identity Number
    • Member Type
    • Date Of Birth
    • Credits (Balance)
    • Avatar
  • For 800k ‘Merchant orders” the following personal and highly confidential information headers were present: 
    • UserID
    • MerchantId
    • OrderId
    • ProductId
    • Title (Product title)
    • Variant (Size/Color etc..)
  • These “Merchant” orders correspond with 770k “OrderID’s” which contained the following personal and highly confidential information headers
    • Address Type (shipping/billing)
      • Name
      • Address Line 1
      • Address Line 2
      • Address Line 3
      • Town or City
      • StateOrCounty
      • PostalCode
      • PhoneNumber
    • PaymentMethodId (e.g. Visa)
    • Erp Payment Code
    • Payment Auth Code
    • Provider (e.g. Adyen)
    • Amount
    • Currency
    • Payment Provider Reference
    • User Agent
    • Ip address
  • For the 380+ “merchants” the following personal and highly confidential information headers were present: 
    • Company Name
    • Website Url
    • Twitter Handle
    • Facebook Page
    • Pinterest
    • Shipping Address
      • Name
      • Line 1
      • Line 2
      • Line 3
      • TownOrCity
      • StateOrCounty
      • PostalCode
    • Primary Contact Number
    • Secondary Contact Number
    • Bank Details
      • Name
      • AccountType
      • AccountNumber
      • AccountHolder
      • BranchNameCode
      • SwiftCode
  • The database also contained detailed information about the couriers, suppliers, promotions and gift cards of customers and clients among other information.

TurgenSec message to Reebonz

TurgenSec is willing and keen to assist Reebonz in remedying this breach. TurgenSec does not seek compensation for this assistance and will happily open a secure communications channel with Reebonz at their earliest convenience in order to facilitate full responsible disclosure (having exhausted all other communication options). 

We sincerely hope Reebonz will accept this offer so the breach can be secured and the impacted individuals/companies informed.

Disclosure Process

In line with its Responsible Disclosure Policy, TurgenSec triaged the breach to ascertain whether or not the exposed data should be publicly accessible. When it became clear the data should not be publicly exposed, we quickly moved to determining ownership of the data set.

TurgenSec made 11 attempts to contact Reebonz, and liaised with the Concierge over Whatsapp to confirm receipt of our emails. TurgenSec also attempted to contact several executives of Reebonz on LinkedIn. As this was unsuccessful, in line with our Responsible Disclosure Policy, we next move to disclose this breach publicly.

Appendix – Outreach to Reebonz:

  • 25th March 2020 – TurgenSec emailed Reebonz at [email protected] informing them we had found a data breach and wished to communicate with “someone in compliance or security so that we can provide them with the details”
    • TurgenSec received an automatic response acknowledging the email and saying: ‘Case #200325-000051 -” Reebonz Data Breach” has been created by you. We will respond within the next business day.’
  • 20th April 2020 – In accordance with our responsible disclosure policy, TurgenSec emailed [email protected] and [email protected] furnishing them with the IP address involved in the breach and asking if the IP was theirs. 
    • TurgenSec received another automated response acknowledging the email: ‘Case #200420-000075 -” Data Breach – Responsible Disclosure” has been created by you. We will respond within the next business day.’
  • 22nd April 2020 – TurgenSec emailed [email protected] and [email protected] providing them with redacted screenshots containing information Reebonz could use to identify the legitimacy of our claim of a data breach. 
    • A further automatic response arrived, acknowledging our email and saying: ‘Case #200422-000206 -” Data Breach – Responsible Disclosure” has been created by you. We will respond within the next business day.’
  • 5th – 11th May 2020 – TurgenSec connected to Reebonz Concierge via Whatsapp.
  • 19th May 2020 – TurgenSec emailed [email protected] and [email protected] outlining our intention to proceed in line with our responsible disclosure policy and requesting “Could you please reply by email or contact us as soon as humanly possible, on +44 (0) xx xxxx xxxx”
    • An automatic response acknowledged the email: ‘Case #200519-000140 -” URGENT – Data Breach – Responsible Disclosure” has been created by you.’
  • 20th May 2020 – TurgenSec once more contacted the Reebonz Concierge through Whatsapp.
  • 20th May 2020 – TurgenSec attempted to call Reebonz on their international contact number within their listed business hours (GMT+8) only to be greeted by a recording message stating their offices were closed.
  • 20th May 2020 – A TurgenSec director sent multiple LinkedIn requests to Reebonz executives (including the CEO and CTO) and those listed in senior positions in an attempt to open a dialog or to have the matter taken seriously. 
    • TurgenSec received no response.
  • 21st May 2020 – In the interest of data security and in line with our Responsible Disclosure Policy, TurgenSec reached the decision we should next partially disclose this breach, publicly.