Ozon User Logins and Passwords Leaked Online: What It Means for the Retailer and Its Customers

Recently, a database containing the email addresses and passwords of nearly half a million Ozon online store users was posted on a data leak website, as discovered by RBC (the editorial team has a copy of the database). RBC checked about a hundred random emails from the database using the Email Checker service, and all were valid. However, the passwords listed no longer work for logging into Ozon.

A cybersecurity expert who reviewed the database at RBC’s request said the leak may have occurred six months ago. According to him, the database was compiled from two other databases he found on a hacker forum in November 2018 (RBC confirmed these databases were indeed posted there). Therefore, the passwords may already be outdated, as the company should have taken action after the database was found in the public domain.

How Did the Data End Up Online?

Ozon has never reported any leaks or hacks. However, in December 2018, the retailer’s CTO Anatoly Orlov unexpectedly announced that the company had changed its password recovery system, adding extra encryption. “In 2018, a new team came in and did serious work to strengthen security. Now all user passwords are stored in hashed form (‘irreversibly encoded’): an irreversible function is calculated from the password, so it can be checked by calculating the same function, but it’s impossible to recover the original password. The best secrets are those you don’t know yourself,” Orlov told TJ.

Before this, there were isolated complaints online from Ozon users about account hacks, but the company told users they were responsible for the breaches. “Your data was compromised as a result of a hack of one of your accounts on online services or malware infection on your computer or mobile device, and was used by a third party to access your Ozon.ru account,” the support team replied to one user’s complaint.

An Ozon press representative told RBC that the company monitors suspicious activity online and had seen the user data database. “The file you’re referring to has been circulating online for quite some time, and we thoroughly checked it when we found it. As far as we can tell, it contains data from users of various services, including some old Ozon user data. Apparently, these data ended up online because users on the list used the same passwords for different services. Hackers could also have obtained them at different times through malware attacks on users’ computers. For security reasons, we reset the passwords for those Ozon accounts found in the file as soon as we discovered it. We always reset passwords if our specialists find data in the public domain online—this is company policy,” the Ozon representative said.

Ozon is the fourth largest Russian online store, according to Data Insight analysts for 2018. It’s also among the top 20 most popular Runet sites, according to SimilarWeb. The company claims to have 30 million customers. In June, users visited the site 59 million times. The main shareholders of Ozon (LLC “Internet Solutions”) are AFK Sistema (Vladimir Yevtushenkov) and the Baring Vostok fund, which together own about 80% of the company.

How Could the Data Have Leaked?

Alexey Lukatsky, an information security consultant at Cisco Systems, says there are three possible scenarios for the leak: “An Ozon employee could have leaked the database, a hacker could have stolen it by breaking into the organization, or the leak could have been caused by a misconfigured external server that allowed unauthorized access to anyone. I can’t rule out any of these options.”

Lukatsky also believes there’s a chance that user passwords were stored in plain text at the time of the leak. “If the passwords had been encrypted, it’s unlikely anyone could have decrypted and posted them in plain text. If this database isn’t fake, we have to admit the passwords were stored in plain text. Unfortunately, this is a common practice,” he concluded.

What Are the Consequences for Ozon?

Pavel Ikkert, a partner at the law firm NAFCO, says that under the law “On Personal Data,” the operator—in this case, Ozon—is required to ensure the security and confidentiality of users’ personal data, including preventing leaks. If the operator’s actions or inaction led to unauthorized access to personal data, the operator can be held administratively liable. “Article 13.11 of the Administrative Code provides for a fine of 30,000 to 50,000 rubles for such a violation, which is insignificant for a business the size of Ozon,” Ikkert clarified. However, to impose a fine, Roskomnadzor must prove that the operator’s actions or inaction caused the leak. “In practice, this is difficult, especially if the leak resulted from a hacker attack,” Ikkert noted.

Affected users can claim compensation not only for material damages, such as unauthorized access to banking information, but also for moral damages. However, proving moral damages and justifying the amount of compensation is also difficult in practice, Ikkert concluded.

Alexey Pavlov, head of Solar JSOC services promotion at Rostelecom, believes the correct response to such a leak should include two steps. “First, the company should force users to change their account passwords and notify them. Second, a thorough internal investigation should be conducted to identify how the data was compromised and to close any vulnerabilities found in systems or processes,” the expert said.

“You can only hide a hack if you’re sure no one will ever find out. But in today’s world, that’s impossible,” says Alexey Lukatsky. He believes it’s good practice to have an incident response plan, which should include measured communication with clients, partners, and the media.

What Are the Risks for Users?

Alexey Lukatsky noted that if passwords have been changed, hackers can no longer access Ozon user accounts. However, many people use the same passwords across different services, and “resetting the password on Ozon doesn’t mean users will change them on other sites where they’re registered.”

Alexey Pavlov agrees that using the same passwords on different sites means a leak from one account can give attackers access to others. “Additionally, with a database of accounts, scammers could use extra information from users’ personal accounts, such as phone numbers, emails, work and home addresses. Even just personal data and order information are a good basis for targeted phishing (sending emails with links or attachments containing malware),” Pavlov explained.

Other Major Data Leaks

According to InfoWatch’s 2018 report, the largest data leak in Russia occurred due to a vulnerability on the Rosobrnadzor website, compromising a database of 14 million former students.

The largest database of logins and passwords contains 25 billion accounts. IT magazine The Wired discovered it in early 2019. Most of the compromised data comes from previous leaks, including after the hacks of Yahoo, LinkedIn, and Dropbox databases.

Facebook has been accused several times of large-scale personal data leaks. The most recent was in April, when data was found in open access on other platforms and in Amazon’s cloud storage. Before that, Facebook representatives discovered that some user passwords were stored unencrypted on Facebook’s servers. It was reported that “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users” were left unprotected.