A company with a California address that runs an online promotional gift platform exposed emails from more than 300,000 customers – including about 2,500 from U.S. military and government domains – and has apparent links with China, raising operational and national security concerns.

Researchers with Cybernews in July discovered an Elasticsearch instance belonging to EnamelPins that was unsecured and contained the 300,000-plus emails sente between the company and its customers, with the emails containing such data as full names, other private personal information, and product design documents.

While the Cybernews researchers found the open Elaticsearch instance July 10, it was first indexed on the search and analytics engine on April 22 and – after “multiple follow-up emails and submissions to CERT (Computer Emergency Response Team),” they wrote – was finally closed by EnamelPins November. 5.

The EnamelPin customers whose information was exposed by the open instance risk being targeted by bad actors with spearphishing and other cyberattacks, with the Cybernews researchers warning that the “long exposure increases the risks of third-party threat actors accessing the data.”

Popular Gift Service

EnamelPins, a privately-held company with headquarters in Walnut, California, that has been around for more than five years, runs a gift service – gs.jj[.]com – through which civilians, military personnel, and government workers can order such emblematic accessories like soft and hard lapel pins, medals, and patches that Enamel Pins designs and manufactures. According to the company, it has more than 20,000 customers.

About 2.500 of the exposed emails were from .mil and .gov domains and belonged to varying military an government branches. Most of the emails involved orders for products like coins, medals, battalion emblems, and patches.

The researchers wrote that “the emails and attachments exposed sensitive information about high-ranking military officials. They could be used to determine their position in certain Army units, phone numbers, email addresses, and shipping addresses. The attachments included designs for the emblems.”

Links to China

Adding to the troubling exposure of information of civilian and military customers were operational links with China.

Other security issues with the EnamelPins website included leaked information about a Git repository, which are used to virtually store version of a project’s code and tracks changes made to files. In this case, the leaked Git repository information including the configuration, folder, and file structure of the website.

Cybernews researchers said the leaked information appears to have been accidentally upload and left open, revealing the links with China. The information revealed that the website’s source code repository is hosted on a server in China and that its assets are hosted on Alibaba Cloud. The administration login page is written in Chinese.

In addition, they noted that customer support personnel communicate in broken English and that “longer delivery times reflect shipping from China.” EnamelPin’s communications on YouTube notes that it has a “complete expert team in China” with a lot of offices and agencies in North America.

A Tense Time

The exposure of so much information – particularly of military and government personnel – also comes at a time of increasing tensions between the United States and China, including ongoing cyber campaigns being run by Chinese states-sponsored threat groups that are using intrusions into the networks of critical infrastructure organizations in the United States to steal data and create a long-term presence in the compromised systems.

“This leak illustrates how a simple emblem order may become a potential Operational Security failure within the US military and government,” the researchers wrote.

They don’t know where EnamelPins stores customer data, but added that the United States doesn’t have a law similar to the European Union’s General Data Protection Regulation (GDPR) the requires data being stored locally to reduce the risk of exposure.

“Due to the Chinese government’s broad powers to access data, it may be risky for US Government and Military officials to use Chinese services, especially in the official settings,” the researchers wrote. “This leak raises OPSEC concerns, as ordering patches, emblems, and other items can inadvertently expose ranks, divisions, and personal information.”

They added that instances within Elasticsearch that hold sensitive data need protection through firewalls, authentication tools, and authorization systems.