Well-known Online Store Faces More Cybersecurity Issues, All It Took Was One Click

• At Morele.net, all it took was a logged-in user and changing the number in the link to view another customer’s e-mail and phone number.
• The company ensures that the data has not been used by third parties.
• This is not the first time Morele.net has had problems with data protection. Since 2019, UODO has been trying to punish it for leaking the data of 2.2 million customers.

Without hacking, special skills or password cracking - customer data of the Morele.net online store was available at your fingertips.

How was it possible to obtain Morele.net customer data?

All you had to do was log in to the store - even as a new user - and paste any link containing the order number in the website address into your browser. By changing the order numbers in the link, you could display another customer's data, such as a phone number or email address. This information is enough for someone to start spamming, calling or trying to scam using the "grandchild" or "courier" method. The vulnerability was described by the website wieszanatrzeciastrona.pl.

The author of the site reported the bug to the company (an anonymous customer of the shopping service had previously written to him). - After confirming the existence of the vulnerability, we removed it within 2 hours of confirming the report - assures Anna Pieprzak-Socha from Morele.net. - We immediately took actions to limit the impact of the vulnerability. We are in the process of identifying the root cause of the situation - she adds.

The case of vulnerability at Morele.net is being handled by UODO

As the company assures, cybercriminals did not use this loophole. - The vulnerability was used solely for verification purposes by the reporting party and the journalist, and all actions were within the bounds of responsible disclosure - says WNP Pieprzak-Socha.

The case was reported to the Office for Personal Data Protection. As confirmed by the spokesperson for the authority, an analysis is currently underway. Only when the UODO completes its activities will it become clear whether Morele.net will have to pay another fine for violating its customers' data.

PLN 3.8 million fine for Morele.net awaits final court decision

Let us recall that in September 2019, the President of the Office for Personal Data Protection imposed a fine of PLN 2.8 million on the company in connection with the leak of personal data of 2.2 million people. The company appealed to the court. After four years, the Supreme Administrative Court overturned the first decision of the authority. However, the Office conducted a new proceeding and in February 2024, the President of the Office again punished the company Morele.net for violating the provisions of the GDPR. This time, the fine amounted to over PLN 3.8 million.

The decision of the supervisory body was once again appealed to the Provincial Administrative Court in Warsaw. It dismissed Morele.net's complaint against the decision of the president of the UODO.

Currently, the case is awaiting a decision by the Supreme Administrative Court, as the company has also appealed against the judgment of the Provincial Administrative Court.