The Website Planet research team identified a data exposure affecting the American wholesale and logistics platform ePallet Inc.
ePallet is a business-to-business brand that provides a supply-chain solution for retailers and manufacturers.
An Amazon S3 bucket owned by the company was misconfigured, exposing the data of hundreds of other businesses in the process.
Companies’ Data Exposed
ePallet’s storage bucket was left open, without any password protection in place. As a result, the company’s AWS S3 bucket exposed over 2.5 million files equating to over 600 GB of data.
Among the exposed files were numerous forms of sensitive data relating to ePallet, and the companies that have ordered, sold, and delivered goods through its platform.
We found five separate data sets on the bucket that exposed ePallet, its partners, and its clients: Orders and bills, order attachments, customer-related files, miscellaneous certifications, and ePallet credit applications.
Orders and Bills
Orders and bills (or rather “bill of lading” documents) outline transactions between businesses buying and selling wholesale goods through the ePallet platform. Hundreds of files of this type were on the bucket.
Orders and bills exposed the sensitive data of ePallet clients and partners, including:
Company details, such as company names & addresses of buyers and vendors.
Carrier information, i.e. each carrier company’s name and address.
Shipment information, such as goods ordered, pickup/delivery date, weight, quantity.
Note: A bill of lading is a type of document that’s handed between shippers and carriers. It details information on goods and orders that is needed by carriers, while also acting as a receipt.
You can see an example of orders and bills in the following screenshots.
Order attachments accompanied client orders. We found thousands of files of this type on the bucket.
Order attachments detailed sensitive data affecting clients and partners:
Shipment information, sometimes in scannable barcodes
You can see evidence of order attachments below.
Customer-related files were found on the misconfigured bucket. These appear to be documents collected by ePallet about the businesses using the ePallet platform.
Customer-related files featured a range of sensitive client data:
Contact details, including company phone numbers, fax numbers, and email addresses
Financial information (in some cases), i.e. company revenue
Various other company details, i.e. company age, employee count, etc
Customer-related files varied in type and featured a large variety of information, some of this data is not outlined in this report. The files ranged from company profiles (reports on the details of companies) to the credit applications of other businesses, and tax-related documents. ePallet requires proof of reseller’s permits and (for non-profit organizations) tax status, which may explain a portion of these files.
You can see evidence of customer-related files in the following screenshots.
Miscellaneous certifications were stored on the bucket as well. These appear to be certifications granted to companies selling goods through ePallet. The certifications were issued from a variety of institutions and for numerous different purposes. For example, one certificate was a “kosher certificate” granted to a food company, demonstrating that its products were approved by a rabbinic Agency.
Although certificates do not detail large amounts of vendor data (generally company names plus certificate details), their presence could be used against ePallet vendors in forms of cybercrime.
ePallet likely stores these certifications as proof that they exist. You can see evidence of a miscellaneous certification below.
Credit applications were stored on the open AWS S3 bucket which exposed information related to ePallet, its business operations, and its staff. ePallet submitted these credit applications to other businesses.
ePallet credit applications exposed various forms of sensitive company data:
Federal ID number
Contact details, phone numbers, email address, fax number
Staff names, i.e. the CEO’s name and various others
Various other company details, such as company age, lease/ownership status of the property
An example of a credit application is outlined below.
ePallet’s Amazon S3 bucket was live and being updated at the time of discovery. The owner of an AWS S3 bucket (in this case, ePallet) is responsible for its security. As such, Amazon is not at fault for ePallet’s data exposure.
Based on the volume of 4-digit ID numbers within the bucket’s folder names (each one thought to indicate a unique business), we estimate hundreds of businesses are affected by ePallet’s data breach.
ePallet may be subject to legal sanctions because of this data breach.
Who was Affected?
ePallet’s misconfigured Amazon S3 bucket has exposed company data, along with the data of client businesses (“buyers” using epallet.com) and partners (goods manufacturers/vendors and carriers—those businesses delivering the products sold on epallet.com).
ePallet does not operate outside of the United States and all of the information on the bucket appears to relate only to US businesses.
Huge corporations sell products through ePallet’s website. M&Ms, Twix, Skittles, and Snickers are listed as “featured vendors” on epallet.com’s landing page, while a range of other prevalent “manufacturing partners” also sell products on the site, from Gillette to Arm & Hammer. We cannot confirm whether any of these companies have information exposed on the bucket.
Who was Exposing the Data?
Founded in 2017, ePallet Inc. is an online wholesale supply-chain service headquartered in Agoura Hills, California, in the United States.
ePallet’s website (epallet.com) is an AI-driven platform that connects businesses with manufacturers, allowing retailers to purchase wholesale goods in full-pallet increments directly from the source.
In addition to its “online wholesale marketplace,” ePallet partners with carriers to provide logistics solutions for goods ordered through the website. This streamlines the distribution process while providing fresh business opportunities to manufacturers and clients.
ePallet specializes in foodstuffs, though the company does sell other products that one might expect to find in a supermarket, including baby products, medical products, and household items. ePallet employs less than 25 employees and generates under $5 million in revenue.
Impact on ePallet Clients and Partners
We cannot know whether unethical hackers and malicious actors have accessed the content of the open AWS S3 bucket. However, ePallet’s clients and partners could face several impacts from this data breach should this be the case.
BEC, Scams, Phishing, and Malware
ePallet customers, vendors, and carriers could experience phishing attempts, scams, and malware attacks because of this data breach. Cybercriminals could contact businesses using email addresses and phone numbers on customer-related files.
In phishing attempts and scams, hackers could reference other forms of exposed information to build trust with the victim and create a narrative around the reason for communications.
Business email compromise (BEC) attacks are a type of targeted phishing attempt. Criminals exploit leaked email accounts to send users messages while posing as a known source with a legitimate reason for contact. The contact details, staff names, and delivery information exposed on the bucket make BEC possible.
For example, hackers may contact clients posing as a representative of the carrier, product vendor, or ePallet. A hacker could reference order/shipment details to build trust with the victim, claiming that there is an issue with the delivery.
Hackers may contact vendors or carriers claiming to be a representative of the client or ePallet. Again, hackers could reference the details of orders to suggest there is an issue. Perhaps, the hacker claims a refund is needed because part of the order hasn’t arrived.
Hackers could also use company details, financial information, or certificates to build a narrative around their communications.
Once the victim trusts the cybercriminal, the attacker may attempt to extract personal or sensitive information from the victim or victimized business. This is called a phishing attempt. The hacker may also try to convince the victim to click a malicious link. Once clicked, malicious links can download malware onto the victim’s device to supplement further cybercrimes.
Cybercriminals could also leverage this trust to lure victims into popular scams and fraud. For example, the hacker could convince a business to pay a fake invoice in a fake invoice scam or to file a fraudulent refund in a refund scam.
Theft, Robbery, Burglary
Businesses could be targeted based on the high value of their orders or the financial information available on the bucket.
Orders and shipments may also be targeted in theft and robbery attempts. A variety of order and shipment information has been exposed, including carrier information, delivery dates, delivery addresses, and shipment values. This information could be used to plan organised thefts with assailants intercepting carriers at depots or during their delivery route.
ePallet clients and partners could be affected by competition espionage, too, which we’ll cover alongside ePallet in the next section.
Impact on ePallet Inc.
ePallet may experience cybercrimes, too, if hackers have accessed the bucket’s content. ePallet could also be subject to legal sanctions and punishments if the company has violated data privacy regulations.
Data Privacy Violations
ePallet could face sanctions from the Federal Trade Commission (FTC). The FTC protects the confidentiality of sensitive and nonpublic information collected from individuals and businesses.
The FTC Act governs unfair or deceptive acts and practices affecting commerce. ePallet could face fines and punishments if the FTC deems the company has violated this regulation. The maximum fine for exposing customer data is $100 million. Guilty individuals could also be arrested in serious cases.
Loss of Business
ePallet Inc. could suffer a loss of business from its data breach. ePallet clients and partners have had their data exposed, and some businesses may choose to move their trade elsewhere as a result. Potential future clients and partners may choose to use a different platform because of this data breach, too.
ePallet may suffer from competition espionage with so much data about its business operations, clients, and partners exposed on the open Amazon S3 bucket.
Rival businesses could potentially acquire the bucket’s content to learn about ePallet’s client list, pricing, and various business details. Rival businesses could target ePallet clients with offers to undercut ePallet’s business.
Furthermore, cybercriminals could contact ePallet to phish for industry secrets and intellectual properties. Attackers could pose as a trustworthy source, perhaps referencing order details and staff names to appear as a colleague discussing an order. From here, cybercriminals could attempt to coerce more sensitive data from ePallet employees—information relating to the company’s business operations.
Status of the Data Breach
Extensive references to ePallet throughout the bucket, including within document headers, meant identifying the owner of the bucket was a fairly straightforward process.
The Website Planet research team discovered the bucket on October 6th, 2021, and sent a message to ePallet on the same day. After reaching out several times, we received a reply from a support agent on October 18th, 2021. The support agent put us in contact with the CTO, who replied on October 25th, 2021.
We disclosed ePallet’s breach to the CTO but never received a reply. Unfortunately, our efforts to reach the CTO hereafter were unsuccessful and we never heard from ePallet’s CTO again. We even attempted to contact the company’s CEO. We also reached out to AWS but did not receive a reply.
Protecting Your Data
ePallet, along with its clients and partners, must take various steps to reduce the risk of cybercrime.
Companies and employees must be extra vigilant when receiving calls or emails from an unknown source. Employees must not provide sensitive or personal information to an unknown source unless they are absolutely certain the caller/emailer is legitimate. Companies should implement methods that allow employees to authenticate themselves to one another when talking over the phone or email.
Carriers must be aware of the threat of theft, as should company employees at depots and business addresses.
Finally, ePallet or the entity that manages its data storage should check the security of any other databases, servers, or buckets under its control. Cloud storage solutions should be checked at regular intervals moving forward.
How and Why We Report on Data Breaches
We want to help our readers stay safe when using any website or online product.
Unfortunately, most data breaches are never discovered or reported by the companies responsible. So, we decided to do the work and find the vulnerabilities putting people at risk.
We follow the principles of ethical hacking and stay within the law. We only investigate open, unprotected databases that we find randomly, and we never target specific companies.
By reporting these leaks, we hope to make the internet safer for everyone.
Website Planet is the number one resource for web designers, digital marketers, developers, and businesses with an online presence.
Our team of ethical security research experts uncovers and discloses serious data leaks as part of a free community service we perform for the web at large.