Peak Design Exposes Over Half a Million Records in Data Leak Incident

Over half a million records with clients’ data and a decade’s worth of support tickets have been publicly exposed and likely accessed by threat actors after a US accessories maker forgot to set a password.

Peak Design, a California-based manufacturer and retailer of bags and accessories for travelers and photographers, exposed its clients’ private data to anyone on the internet. The company, known for its successful crowdfunding campaigns and strong Kickstarter community, raised nearly $36 million to fund the creation of its award-winning product designs.

The leaked data included customer email addresses, home addresses, order information, shipment tracking codes, and customer support inquiries. The Cybernews research team identified the leak on April 25th, with the leaked support tickets spanning nearly a decade from June 2014 to May 2023, magnifying the scope of the leak.

The data leak was caused by a publicly accessible Elasticsearch instance, an open-source search engine for analyzing large amounts of data. Access to Elasticsearch servers should never be exposed to the public web without proper authentication, as they are common targets for threat actors.

Cybernews researchers found a ransom note on Peak Design’s systems, indicating that the threat actor likely accessed the data at least once. The ransom note demanded around $3940 in Bitcoin to prevent the public release and deletion of customer data.

Although the leaked data was not updated in real-time, the exposure of customers’ personal information remains a significant concern. The company has since secured access to the data, but an official response has yet to be received. The potential misuse of the leaked data by gray market marketing agencies, data brokers, spammers, and for phishing or doxxing attacks is a cause for alarm.