Misconfigured Database Leaks Data on 300K E-commerce Buyers
Security researchers have found a misconfigured cloud-hosted database leaking over 300,000 records, including sensitive personal information on e-commerce buyers.
A team at Safety Detectives found the leaky Elasticsearch database on July 25 this year but claimed the content had been exposed without any password protection or encryption since November 2020.
Its efforts to close the leak have so far proven unsuccessful, after hosting firm Alibaba did not reply to the team’s outreach, and the identity of the database owner remains a mystery.
All Safety Detectives has been able to ascertain from the 500MB data leak is that the owner is a Chinese ERP provider serving businesses that sell goods on platforms like Amazon and Shopify.
Around half of the 329,000 exposed records contained buyers’ names, phone numbers, email, billing and delivery addresses, according to the report. In some cases, seller names, email addresses and billing information were also leaked.
German, French and Danish e-commerce customers featured among the haul, with as many as 150,000 potentially exposed, the report claimed.
The leaked data would be a goldmine for scammers, who are past masters at reusing personal information in follow-on phishing and identity fraud attempts designed to elicit more sensitive financial info.
“Home addresses are available on the database too. This makes home invasion/burglary a real possibility if personally identifiable information (PII) is sold on to other criminals. Thieves may target users who make high-value orders in the hope the victim’s house is full of expensive goods,” the report claimed.
“Theft of ordered goods is another risk associated with leaked order details. Tracking links, shipment times, courier information, delivery addresses and order information provide criminals with enough data to intercept and steal a user’s ordered goods.”
If the database owner is finally tracked down, they could face investigation from regulators of both the GDPR and China’s new equivalent legislation, the Personal Information Protection Law (PIPL).