Science & Technology

Misconfigured database leaks data from 300K e-commerce buyers

Security researchers have discovered that a misconfigured cloud-hosted database has leaked more than 300,000 records, including sensitive personal information of e-commerce buyers.

Team Safety detective found The Elasticsearch database, which was leaked on July 25 this year, claimed that the content was published without password protection or encryption after November 2020.

After hosting company Alibaba did not respond to the team’s outreach, efforts to close the leak have proven unsuccessful so far, and the identity of the database owner remains a mystery.

From the 500 MB data breach, all Safety Detectives were able to confirm that the owner is a Chinese ERP provider servicing companies that sell their products on platforms such as Amazon and Shopify.

According to the report, about half of the 329,000 published records contained the buyer’s name, phone number, email, billing address, and shipping address. In some cases, the seller’s name, email address, and billing information were also leaked.

According to the report, e-commerce customers in Germany, France and Denmark have been in the spotlight, with as many as 150,000 potentially exposed customers.

The leaked data can be a gold mine for scammers who are masters of the past by reusing personal information in subsequent phishing and personal information fraud attempts designed to extract more sensitive financial information. prize.

“Home addresses are also available in databases. This makes burglary / robbery a viable possibility if personally identifiable information (PII) is sold to other criminals. It could target users with high-value orders in the hope that the victim’s home will be filled with expensive items, “the report claims.

“Theft of ordered items is another risk associated with leaking order details. Tracking links, shipping times, courier information, shipping addresses, and ordering information intercept the items ordered by users. Providing criminals with enough data to steal. “

If database owners are ultimately tracked, they may face investigations from regulators of both the GDPR and China’s new equivalent law. Personal Information Protection Law (PIPL).

Misconfigured database leaks data from 300K e-commerce buyers Misconfigured database leaks data from 300K e-commerce buyers

Back to top button