In a recent cybersecurity incident, a hacker has exposed the personal information of nearly 8,000 Decathlon employees and customers worldwide.
The data breach was confirmed by the vpnMentor research team, who detected a 61-MB database allegedly belonging to the French sporting goods retailer Decathlon. The data, leaked on a web forum, included full names, usernames, phone numbers, email addresses, countries and cities of residence, authentication tokens, and photos.
The data leak was discovered on September 7, 2023, by vpnMentor, prompting immediate communication with both Bluenove and Decathlon to report the breach. Bluenove confirmed the existence of copies of the database circulating on darknet forums on September 18, 2023. Interestingly, the leaked information appeared to match a previous Decathlon employee data leak vpnMentor had reported in 2021, validating the authenticity of the recently shared database.
The breach was linked to tech and consulting company Bluenove, a partner in Decathlon’s Vision 2030 campaign. The data was originally collected through a survey and stored in a misconfigured Amazon Web Services (AWS) S3 bucket. vpnMentor had previously detected this leak on March 9, 2021, and reported it to Bluenove and AWS. The issue was addressed and fixed by April 13, 2021, after vpnMentor’s correspondence with Decathlon.
The potential impacts of this recent breach are substantial. The exposed information can be misused in elaborate phishing campaigns to extract further sensitive data. Malicious actors may impersonate official representatives of Bluenove or Decathlon to manipulate affected individuals into providing social security numbers or other sensitive personal identifiable information (PII). This information could then fuel identity theft and fraudulent financial or government transactions.
It’s important to note that neither the 2021 leak nor this recent data exposure was due to Decathlon’s negligence. The company was not responsible for securing the information collected by Bluenove and had no means to determine if outside actors had acquired the data. This incident highlights the ongoing challenge of safeguarding sensitive data in the digital age.