Another unsecured database has leaked data online threatening the privacy of users. This time, the unsecured database belonging to a third-party exposed 8 million UK shoppers records.
UK Shoppers Records Exposed
Security researcher Bob Diachenko has found another unsecured database exposing a huge amount of user records. This time, the unsecured MongoDB database exposed UK shoppers’ data containing explicit information with over 8 million records.
As detailed in a blog post by Comparitech, the researcher found the exposed MongoDB database on an unsecured AWS server. Further research linked the leaked details to customers of various e-commerce services. The database itself belonged to a third-party.
The vendor’s app pulled sales records from marketplace and payment system APIs like that of Amazon UK, eBay, Shopify, PayPal, and Stripe to aggregate retailers’ sales data and calculate value-added taxes for different EU countries.
In brief, the database included explicit personal details of the customers as well as the information regarding sales. The leaked data included customers’ names, email addresses, contact numbers, purchase details, shipping addresses, order IDs, and last four digits of the payment card numbers. It also included links for Shopify and Stripe invoices.
A major portion of the exposed data belonged to Amazon UK and eBay. Whereas, the other vendors’ data, Shopify, Stripe, and PayPal, comprised of small portions.
Database Now Offline
Upon discovering the unprotected database that was exposed for five days, researchers alerted Amazon of the matter since they hosted the server. While it took the researchers some time to identify the database owner, they later decided to keep its name undisclosed.
After the report, Amazon swiftly took action to pull the database offline. Below is a copy of their statement to the researchers,
We were made aware of an issue with a third party developer (who works with a number of Amazon sellers), who appears to have held a database containing information from several different companies, including Amazon. The database was available on the internet for a very short period of time. As soon as we were made aware, we ensured the third party developer took immediate action to remove the database and secure the data. The security of Amazon’s systems was not compromised in any way.
While the database is now offline, the researchers still urge the users to stay careful regarding fraudulent activities targeting them.
Let us know your thoughts in the comments.