Unsecured Access to Personal Data of Over One Million Leo Express Users

  • September 18, 2025

Explore the Leo Express data security breach exposing personal user data and credit card details. Learn about vulnerabilities and their implications.

Unsecured Access to Personal Data of Over One Million Leo Express Users

Leo Express is a prominent Czech company operating extensive train and bus networks across Central Europe. They offer users the ability to create accounts, participate in loyalty programs, and accumulate points for each ride booked.

Introduction to the Data Exposure Issue

During the account registration and usage process, every page load on the Leo Express website triggers a GraphQL query. GraphQL is a modern API query language designed to efficiently fetch client-specified data in a single request. However, investigations into Leo Express’s implementation revealed significant security weaknesses in how this API exposed sensitive user information.

How the Vulnerability Was Discovered

When signing up and logging into the Leo Express platform, it was observed that the GraphQL POST request returns the account details in JSON format. An example of the request structure is as follows:

{
  "query": "query getActualUserDataQuery($email: String, $token: String, $timestamp: Int, $locale: String) {
    getActualUserData(email: $email, token: $token, timestamp: $timestamp, locale: $locale) {...}
  }",
  "variables": {
    "email": "info@example.com",
    "token": null,
    "timestamp": 0,
    "locale": "cs"
  },
  "operationName": "getActualUserDataQuery"
}

The critical observation was that even with token values missing or altered, the server continued to return full user information for any supplied registered email address without proper authorization.

Data Accessible via This Flaw

  • Full name
  • Phone number
  • Complete mailing address including state, city, street, and zip code
  • Connected social accounts like Facebook and Google
  • Account-specific loyalty points and bonuses

This unauthorized access to personal data constitutes a significant privacy breach and could potentially facilitate identity theft and targeted phishing attacks.

Exploring the Reflected XSS Vulnerability and Credit Card Exposure

In addition to the API issue, a reflected Cross-Site Scripting (XSS) vulnerability was identified on the order confirmation page. The URL structure used after ticket purchases looked like this:

https://www.leoexpress.com/en/order-confirmation?order=12345&email=info@example.com&state=success

The email parameter in this URL is directly inserted into the page without proper escaping or sanitization. Due to the absence of a Content Security Policy (CSP), an attacker could craft malicious URLs to execute arbitrary JavaScript within a user’s browser session.

Implications of the XSS flaw:

  • Execution of arbitrary scripts when a logged-in user visits or is redirected to the malicious URL
  • Potential theft of session cookies and user credentials
  • Access to sensitive profile data, including partial credit card details

Notably, users with saved credit cards had parts of their credit card information exposed, including the card type, date added, the first 6 digits, and the last 4 digits—totaling 10 out of the 16 digits typically found on a card. Such data can be exploited for fraudulent transactions or social engineering.

Security Best Practices Highlighted by This Incident

This case study underscores several security principles vital in protecting user data:

  1. Proper API Authorization: APIs handling personal data must enforce strict authentication and authorization checks to avoid unintended data exposure.
  2. Input Validation and Output Escaping: User inputs incorporated into web pages, URLs, or scripts should always be sanitized and escaped to prevent injection attacks like XSS.
  3. Content Security Policies: Implementing a robust CSP can limit the execution of unauthorized scripts and help prevent exploitation of injection flaws.
  4. Minimal Data Exposure: Systems should avoid sending more data than necessary through APIs or UI to reduce the risk if data is compromised.

Historical Context and Industry Impact

This vulnerability, reported in early 2019 and patched within three months, aligns with broader industry trends where API security is increasingly under scrutiny. According to a 2023 report by IBM Security, API vulnerabilities contributed to over 40% of data breaches last year.

Moreover, reflected XSS remains a common attack vector in 2024, representing 22% of web application security risks, as noted by the OWASP Top Ten security risks.

Conclusion

The Leo Express data leak serves as a cautionary example of the risks related to improperly secured APIs and application vulnerabilities like XSS. Organizations managing sensitive user data must continuously evaluate and enhance their security frameworks, adopting modern security practices to safeguard customer information effectively.

Key takeaways:

  • APIs must not expose user data without valid authorization tokens.
  • XSS vulnerabilities can provide attackers with access to sensitive data or user sessions.
  • Implementing Content Security Policy and rigorous input sanitization significantly reduces risk.
  • Regular security assessments and prompt patching are critical for risk mitigation.