Huge U.S. Supermarket Chain Exposes Sensitive Credentials

Company name and location: Wegmans, based in the USA

Size (in GB and amount of records): 626 MB (No. of records unknown)

Data Storage Format: Microsoft Azure Blob

Countries Affected: USA (but only company technical data)

The Website Planet research team has uncovered a data breach affecting the U.S. regional supermarket and eCommerce chain Wegmans.

Wegmans is a large business with more than one hundred stores dotted across seven eastern states. The brand offers a range of foodstuffs both online and in-store.

Wegmans’ misconfigured Microsoft Azure Blob Storage Server has exposed sensitive credentials that could have placed Wegmans at critical risk of further data leaks, potentially compromising several of the company’s systems.

Company Data Leaked

Wegmans has compromised its systems by exposing 626MB of private company data. The files were stored on an Azure Blob Storage server that was configured without any password protection.

Among the leaked sensitive files were several different types of data:

• Backend secrets: Which uncover numerous examples of confidential company information and passwords to company accounts
• Access keys: Including keys that grant entry to several other servers,  as well as Wegmans’ SQL database
• AES decryption keys: Which can unencrypt other files
• Whitelisted IPs
• Deployed files: That provide further information about Wegmans’ website.

Note that for ethical reasons we did not access any of the protected files and we did not test the passwords. This private information was left publicly available and could have provided anyone with access to several other sensitive materials on databases, documents, and accounts. While this leak did not affect customers directly, it could have a significant impact in the future.

The server was live at the time of discovery, suggesting the content of the server is current and relevant to Wegmans’ business operations today.

You can see evidence of exposed access keys, passwords, and AES decryption keys below.

Passwords could be found amongst logs of ‘backend secrets’, while keys provide access to other databases. An access key to Wegmans’ SQL database can be seen below.

Other forms of leaked information immediately affect Wegmans’ operations. Additional logs of backend secrets, deployed files, and whitelisted IPs provide plenty of useful information to potential hackers.

The variety and scale of sensitive data that was included on Wegmans’ server is worrying, with information that affects Wegmans’ business both on and off-line.

So, who has been affected by this breach? And what future impacts could Wegmans’ leak have?

Who Was Affected?

Wegmans is the solely affected party thus far. Leaked backend secrets, deployed files, website credentials, and whitelisted IPs may affect the functions of its business in the short term.

However, the comprehensive array of access privileges that can be granted by other forms of leaked data could place every aspect of Wegmans’ business operations, and the extent of its customer base, at increased risk of cyber attack.

It’s not possible to estimate the number of affected individuals until we know the exact privileges that the databases’ access keys, passwords, and decryption keys provide.

Given that Wegmans’ leak provides access to their primary SQL database, the leak could potentially affect a large portion of their customer base. Currently, however, this breach principally affects Wegmans and its business operations.

Who Was Leaking the Data?

Wegmans is a regional supermarket chain with a considerable presence in the eastern states of America. In particular, Wegmans emerged from New York in 1916, which is where the majority of its stores now reside.

Wegmans manages 105 stores in total and has more than 50,000 employees. It is one of the biggest private companies in the United States with an extensive online presence, generating an annual turnover of around $10 billion per year.

Not only do several references to Wegmans highlight that the company owns the open Azure Blob Storage Server, access logs and Company URLs included on the server also identify Wegmans Food Markets Inc. as the owner of the database.

Impact on Wegmans

Though we cannot be sure whether Wegmans’ database was accessed by unethical hackers, the leak’s timespan does posit Wegmans at increased risk of further targeted cyberattacks.

The leak, therefore, throws up the possibility of several damages to Wegmans and its business.

Data Privacy Violations

Should Wegmans’ unsecured server have been accessed by unethical hackers, the array of access keys and passwords would likely grant them entry to documents containing sensitive customer (or employee) data.

We cannot know the content of other databases for certain as (for ethical reasons) we do not test credentials. Nonetheless, access keys to Wegmans’ SQL database are included in this breach, and SQL servers usually contain customer data.

We don’t know whether hackers have accessed Wegmans’ database, of course, but it’s possible that customer data has been stolen if ill intentioned hackers has seen Wegmans’ leaked files.

If Wegmans has leaked the customer data of US citizens, the company would be liable to punishments and sanctions from the United States’ Federal Trade Commission.

Under Section 5 of the FTC Act, the company could be fined $100 million, with guilty individuals placed under arrest, if Wegmans is found to have leaked customer data.

Competition Espionnage

The wealth of information included on databases, company accounts, documents, and logs of backend secrets means viewers can learn a lot about Wegmans’ business.

This offers an attractive prospect to rival businesses, who may have had access to the data. They could learn industry secrets and reasons behind Wegmans’ success, stealing ideas to give themselves a competitive advantage.

One of the many accounts, databases, or documents that are accessible with leaked credentials could provide links to other forms of sensitive company data, such as financial information or user lists.

If a rival company was to access a user list, they could target these users with better offers – effectively undercutting Wegmans’ business.

Fraudulent Websites

Deployed files on the server offer immediate opportunities for one cybercrime in particular.

Hackers could see key details about Wegmans’ eCommerce site with deployed files, tapping into website credentials and code. Attackers could audit this code, using the details to expose vulnerabilities in the website.

Attackers could create an accurate clone of Wegmans’ website with this technical information.

This would not only drain revenue from Wegmans, but it would also target Wegmans’ customers with fraudulent attacks – recording financial data and card details, or selling faulty/non-existent products.

Status of the Data Breach

The investigation was fairly straightforward and there were no issues when attempting to identify the database’s owner. The server clearly belonged to Wegmans based on its content.

On March 10th, 2021, we sent a responsible disclosure of the data breach to Wegmans after discovering its unsecured Azure Blob Storage Server. We did not receive any reply, and we reached out again on March 16th, April 5th and April 12th 2021.

The Director of Information Security at Wegmans, replied to our message on April 13th, 2021, and we sent a follow-up on the 19th of April, as the storage was still exposed.

He finally replied, thanking us for the information, and on April 19th, 2021, Wegmans’ breach was secured.

These dates show that the breach was open for at least 1 month and 9 days. The server was likely unsecured before we found it, so this timespan could be longer.

Protecting Your Data

Wegmans’ employees and customers need to be wary of the possible impacts of this breach. There are steps that individuals can take to mitigate the risk of cybercrime.

Wegmans should begin securing its systems before anything else. This means changing all account passwords, changing database passwords, changing access passwords on documents, and even moving files to other locations if needs be.

Wegmans should move any sensitive material exposed in this breach onto encrypted documents and should consider changing any other credentials or information included on the server that could be used against them.

Employees should be wary of individuals who are contacting the business and asking an excessive amount of questions about its practices. Company secrets could give competitors enough information to appear trustworthy when presenting themselves as a client or colleague. Wegmans should integrate additional procedures to authenticate employees and minimize this risk.

Both Wegmans, and Wegmans’ customers, should be aware of any potential ‘copycat’ websites or domains. Wegmans should hire security professionals to monitor the internet for any clone sites, and customers should look for a secure (padlock) symbol at the top of the domain. This shows the website is secure, as does a ‘https’ before any domain name.

Finally, Wegmans should heighten the activity of its security team, checking the security of all of its databases regularly. Implementing advanced security procedures would ensure the safety of Wegmans’ customers, while rebuilding any reputational damage incurred from this data leak.

How and Why We Report on Data Breaches

We want to help our readers stay safe when using any website or online product.

Unfortunately, most data breaches are never discovered or reported by the companies responsible. So, we decided to do the work and find the vulnerabilities putting people at risk.

We follow the principles of ethical hacking and stay within the law. We only investigate open, unprotected databases that we find randomly, and we never target specific companies.

By reporting these leaks, we hope to make the internet safer for everyone.

What is Website Planet?

Website Planet prioritizes honesty and serves as the premier resource for web designers, digital marketers, developers, and businesses with an online presence. We provide tools and resources tailored to individuals at all skill levels, from beginners to experts.

We have an experienced team of ethical security research experts who uncover and disclose serious data leaks as part of a free service for the online community at large. This has included a breach in a famous European office supplier, as well as a breach in an Indian B2B online packaging marketplace leaking sensitive data.

You can read about how we tested five popular web hosts to see how easily hackable they are here.