Data leak at Corplife, delivery services & webshops
There was a data leak at a platform for employee benefits. The Chaos Computer Club reports on this and other involuntary data leaks.
(Image: insta_photos/Shutterstock.com)
At the beginning of the year, Corplife, a platform for employee benefits, was made aware of a data leak. As they did not respond, the whistleblower contacted the Chaos Computer Club (CCC). The data was accessible until mid-February 2025, as the gap was only closed after the CCC was notified. It is still unclear whether those affected were informed. A request from heise online to the company in this regard has not yet been answered.
The platform is available as both a web and an app version. It gives employees access to a marketplace with over 1,500 regional and international brands in areas such as shopping, sport, travel, gastronomy and more. In addition to traditional discounts, Corplife also offers digital meal allowances that can be used tax-free and without paperwork. Companies such as Siemens, Microsoft, IBM, Casio, Dyson and Rituals already use Corplife. Since its foundation, the company has been the market leader in Austria and has also expanded into Germany, among other countries.
No pure test data
According to the CCC, around 7800 pkpass files, CSV files with around 145,000 names, email addresses and company affiliations, the source code and a database backup were openly accessible. Random checks suggest that this is not just test data. According to the CCC, a 7 gigabyte database backup, which was accessible online due to activated directory listings, contained around 165,000 user accounts including names, email addresses, addresses, company affiliations, password hashes and tens of thousands of orders. Parts of this can be traced via an archived link.
According to Corplife, however, the security breach involved access to internal test servers, which are only used for development purposes and "do not contain any live data". This is stated in a statement from the company to the Austrian data protection authority. After receiving the information, the company reacted immediately and closed the security gap and took further measures, such as "completely removing outdated and non-essential files and folders from the test server".
Videos by heise
CCC reports numerous other data leaks
The CCC has also reported several data leaks. These included delivery services from the software company Tom & Poolee, which shared a backend. It was possible to log in without a password. By incrementing the ID, it was possible to log in with one of around 200,000 customer accounts. The same was possible with invoice numbers, which could be incremented at the provider Karvi Solutions. This affected 399 delivery services throughout Germany. According to the CCC, the gap has not yet been completely closed.
Another data leak affected the webshop "kraftwerk-logistik.de", which is operated by "Paket.ag & EasyLox GmbH". The webshop sells PV systems, inverters, PV modules, storage systems and accessories. Invoices for several years can also be retrieved by counting up, as the CCC reports.
CCC would like to see greater technical hurdles
A server of the software company ALFISolutions was also openly accessible. A CSV file with information on equity, income and other financial information of around 300 people could be viewed there. "Many of the breaches we reported are frighteningly trivial: Data is immediately openly accessible or it is enough to count up an ID. We would like to see more technical challenges," comments Matthias Marx, spokesperson for the CCC.
(mack)
