Data leak at global e-Commerce giant VTEX exposes six million shoppers’ personal information

A major data leak at VTEX, a global e-commerce solutions provider based in Brazil, has exposed the personal information of more than six million shoppers worldwide. The breach, discovered by cybersecurity researchers at Cybernews on February 28, 2025, involved an unsecured cloud database that contained sensitive consumer data, including home addresses, phone numbers, email addresses, and detailed purchase histories.

According to Cybernews, the data was left accessible on the open internet due to an unauthenticated container—a common cloud storage misconfiguration that occurs when security permissions are improperly set. This oversight effectively left the data visible to search engines and open to anyone online. Despite multiple attempts by the researchers to alert VTEX, the company reportedly failed to secure the leaking database for several months. The exposed files were stored in Parquet format, typically used for handling large-scale analytical data.

VTEX, which powers more than 3,500 online stores and provides digital commerce platforms for major global brands such as Samsung, Nestlé, Mazda, Coca-Cola, Walmart, and Sony, has operations in 38 countries. Given the company’s international reach, cybersecurity experts have warned that the scope of the leak could have global implications for online shoppers and retailers alike.

The leaked information is particularly concerning because of its potential use in phishing and fraud schemes. With access to personal details and past purchases, cybercriminals could craft realistic messages that mimic trusted retailers, deceiving customers into disclosing financial credentials or login information. Researchers caution that shoppers might receive fake “order confirmation” or “delivery issue” notifications designed to harvest sensitive data.

Beyond digital fraud, experts note that the exposure of physical addresses and phone numbers could increase the risk of harassment, stalking, or doxxing. In light of these risks, Cybernews urged consumers to remain vigilant during the upcoming holiday shopping season. They advised users to avoid clicking unfamiliar links, verify sender addresses on emails claiming to be from retailers, and rely only on official brand websites or customer portals for communication.

Update: VTEX has issued the following statement.

VTEX became aware of the incident on October 7th, 2025 at 5:32 pm EST, and immediately started its investigation. Our internal investigation confirmed that VTEX’s infrastructure and systems remain secure, with no anomalies in our environments. Through our investigation, we identified that the leaked information originated from the third party’s internal system. This incident was unrelated to the VTEX platform.