Hipshipper data leak exposes millions of shipping labels, raising privacy concerns

An international shipping platform, Hipshipper, has inadvertently exposed millions of shipping labels, revealing sensitive customer data. The discovery by the Cybernews research team highlights the growing risks associated with data security in global e-commerce.

The exposed data was stored in an unprotected Amazon Web Services (AWS) bucket, leaving over 14.3 million records publicly accessible. These records primarily consisted of shipping labels and customs declaration forms containing full names, home addresses, phone numbers, order details, mailing dates, and parcel descriptions.

The timing of the exposure is particularly concerning, as it was discovered in December—a peak period for international shipping when millions of consumers send and receive packages worldwide. Hipshipper, which facilitates international shipping for e-commerce sellers on platforms like eBay, Shopify, and Amazon, offers tracked delivery to over 150 countries, free insurance, and easy returns.

According to cybersecurity researchers, the implications of such a data leak are far-reaching. Cybercriminals could exploit the exposed information for malicious activities, including phishing scams, identity theft, and targeted cyberattacks. By impersonating trusted businesses, attackers could send fraudulent messages referencing specific orders to manipulate victims into revealing financial or personal details. Additionally, scammers could leverage order details to craft sophisticated phishing campaigns that appear more legitimate, increasing the likelihood of deception.

“Armed with leaked information about recent purchases or interactions, they enhance their plausibility and manipulate individuals into revealing sensitive data. Victims are more likely to comply, believing they are addressing an urgent and legitimate issue,” the Cybernews team explained.

Beyond online scams, researchers warn that physical security risks also arise from such data leaks. Personal details, such as home addresses and phone numbers, could be misused for stalking, harassment, or even burglary. Cybercriminals often compile such exposed data for financial gain, subjecting victims to fraud, reputational harm, or other forms of exploitation.

Fortunately, after being alerted by Cybernews, Hipshipper took swift action to secure the exposed AWS bucket, preventing further unauthorized access to the data. However, it remains unclear whether malicious actors accessed the information before the vulnerability was addressed. Automated bots continuously scour the internet for exposed databases, meaning there is always a possibility that bad actors could have obtained the leaked records.