Office Depot Europe Exposed One Million Customer Records Online

  • Just under a million European customer records of Office Depot were leaked online.
  • The firm failed to properly secure a production server that exposed its network too.
  • It is likely that a hacker had already found a way into the corporate network before the discovery of the database.

The latest Elasticsearch database tumble comes from Office Depot Europe, who, according to a report shared by researcher Jeremiah Fowler, failed to protect a “live” production server. The researcher and his team found the accessible data on March 3, 2021, and immediately sent a disclosure notice to Office Depot.

The firm secured it within hours, and two days later, they thanked the reporters. Although the response was quick, the data may have stayed online and accessible by anyone for long enough to be exfiltrated by malicious actors.

In total, Fowler was able to access 974,050 records which included the following types of data:

  • Names
  • Phone numbers
  • Physical addresses (home and/or office)
  • @members.ebay addresses
  • Hashed passwords
  • SSH Login information
  • Dashboard and user group logs
  • Hostnames, IP addresses, and pathways
  • Middleware details

All in all, the data exposed both Office Depot customers and also the firm itself to the dangers of hacking and corporate network compromise. Unfortunately, most of the customer-exposing records were in plain text form, apart only from the passwords maybe.


As Fowler explained in his message to TechNadu, Office Depot made a peculiar announcement about a week prior to discovering the data, mentioning a malware infection that would cost them €20 million. This is matching the maximum amount of GDPR fines, so it’s possible that the firm was already dealing with an intruder who found his way in thanks to key details that were left exposed on the unprotected database.

The PII data contained in the exposed set has several references to German citizens, and so an investigation launched by the German data protection officer should be considered a given now. Also, if Office Depot failed to inform the authorities within 72 hours after the discovery of the data breach, as obliged by the regulation, additional fines may be imposed.

If you are a customer of Office Depot, you should first contact the firm and ask for details about the breach and how it affects you. Additionally, since phone numbers are included in the leak, you should be aware of the possibility of smishing - and generally tricky calls from scammers. The physical addresses also make post phishing likely, even though that’s seldom something that crooks bother with.

How to Watch The D’Amelio Show Season 2 Online From Anywhere
The D’Amelio family is back for Season 2 of The D’Amelio Show, a reality series that takes you into the world of...
How to Watch This England Online From Anywhere: Stream Sky’s New Boris Johnson Drama
A highly-anticipated drama that chronicles the story of Boris Johnson and his administration as they respond to the COVID-19 pandemic is going...
How to Watch The Real Housewives of Salt Lake City Season 3 Online From Anywhere
The Bravo reality series that was developed as the tenth installment of the Real Housewives franchise is back with a new season,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari