Office Depot Europe Exposed One Million Customer Records Online

  • Just under a million European customer records of Office Depot were leaked online.
  • The firm failed to properly secure a production server that exposed its network too.
  • It is likely that a hacker had already found a way into the corporate network before the discovery of the database.

The latest Elasticsearch database tumble comes from Office Depot Europe, who, according to a report shared by researcher Jeremiah Fowler, failed to protect a “live” production server. The researcher and his team found the accessible data on March 3, 2021, and immediately sent a disclosure notice to Office Depot.

The firm secured it within hours, and two days later, they thanked the reporters. Although the response was quick, the data may have stayed online and accessible by anyone for long enough to be exfiltrated by malicious actors.

In total, Fowler was able to access 974,050 records which included the following types of data:

  • Names
  • Phone numbers
  • Physical addresses (home and/or office)
  • @members.ebay addresses
  • Hashed passwords
  • SSH Login information
  • Dashboard and user group logs
  • Hostnames, IP addresses, and pathways
  • Middleware details

All in all, the data exposed both Office Depot customers and also the firm itself to the dangers of hacking and corporate network compromise. Unfortunately, most of the customer-exposing records were in plain text form, apart only from the passwords maybe.


As Fowler explained in his message to TechNadu, Office Depot made a peculiar announcement about a week prior to discovering the data, mentioning a malware infection that would cost them €20 million. This is matching the maximum amount of GDPR fines, so it’s possible that the firm was already dealing with an intruder who found his way in thanks to key details that were left exposed on the unprotected database.

The PII data contained in the exposed set has several references to German citizens, and so an investigation launched by the German data protection officer should be considered a given now. Also, if Office Depot failed to inform the authorities within 72 hours after the discovery of the data breach, as obliged by the regulation, additional fines may be imposed.

If you are a customer of Office Depot, you should first contact the firm and ask for details about the breach and how it affects you. Additionally, since phone numbers are included in the leak, you should be aware of the possibility of smishing – and generally tricky calls from scammers. The physical addresses also make post phishing likely, even though that’s seldom something that crooks bother with.



M1 MacBook Users Report Their Screens Cracking and Nobody Knows Why

A growing number of M1 MacBook owners are reporting mysterious cracks on the laptop’s screen.The users claim they never mishandled or dropped...

Scientists Prove Tricking Sophisticated Voice Authentication Systems Is Feasible

Researchers proved that state-of-the-art voice verification systems can be fooled using existing tools.All that would be needed is a set of machine-learning...

DISH and Sling TV Filed Lawsuits Targeting 4 Sports Streaming Pirate Sites

DISH and Sling TV filed a lawsuit against 'SportsBay', 'Freefeds', and 'live NBA' streaming domains.These platforms are redistributing the broadcasters’ sports channels...