The database including more than 450 thousand e-mail addresses and user passwords from accounts of the Russian online store Ozon was found on one of the sites that collect data leaks.
According to journalists, the leak occurred six months ago, but the company did not declare it. The found database combines two other bases, the originals of which were found on one of the hacker forums in November 2018.
As it turned out, a massive data leak could occur in three cases: data theft by an Ozon employee, an attack by a hacker who got inside the organization, or an incorrectly configured external server that opened unauthorized access to the database to anyone.
It is interesting to note that in 450 thousand of published logins and passwords, the number of data belonging to users of the company does not exceed a few percents.
“At the same time, most of the discovered accounts are inactive, that is, they have not been used for a long time,” the company said.
Ozon explained that after the leak became known, compromised passwords were reset, and users were notified of the incident.
The official representative of Roskomnadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media) Vadim Ampelonsky said that Roskomnadzor intends to obtain explanations from the online store Ozon due to the leakage of user data.
Ampelonsky noted that Roskomnadzor is concerned about the actions of Ozon under the circumstances, as the online store did not notify in a timely manner about this situation, which threatened the safety of customers.
According to the official representative of Roskomnadzor, the e-mail address and password not only allows access to the user’s account, but also allows to collect personal information and to act on his behalf.
The press Secretary of Roskomnadzor said that at the moment Russian laws do not oblige to notify the Supervisory authority about leaks, but now the relevant regulatory documents are being developed.