Massive data leak exposes customer selfies and unredacted credit cards on BuyGoods.com

A colossal data breach has been unveiled by cybersecurity researcher Jeremiah Fowler, who discovered a misconfigured cloud database exposing a staggering 198.3 gigabytes of sensitive information. The compromised database, linked to the global e-commerce marketplace BuyGoods.com, also known as Softwareproject, contained over 260,000 records, including customer selfies and unredacted credit card details.

 

BuyGoods.com, headquartered in Wilmington, Delaware, serves as a business management platform for product owners, marketers, and online shoppers, boasting a user base of 3 million consumers across 17 countries.

 

The unprotected database lacked any security authentication, making it openly accessible to the public. Within this repository were myriad records encompassing affiliate payouts, refund transactions, invoices, and other critical data. Alarming was the exposure of customers’ highly sensitive Personally Identifiable Information (PII) and Know Your Customer (KYC) data.

 

Customers’ records, such as selfies, identification cards, licenses, passports, and unredacted credit card details, were laid bare. This privacy breach extended globally, impacting individuals from various parts of the world.

 

Upon discovering the vulnerability, Fowler promptly notified BuyGoods.com, receiving a swift acknowledgment and assurance that the data had been secured. Despite these assurances, the server remained exposed for a period after the responsible disclosure.

 

In response to the incident, Fowler highlighted the severe threat misconfigured servers carrying PII or KYC data pose to online privacy and physical security. The implications of such breaches extend beyond simple data leaks, potentially leading to identity theft, financial fraud, and unauthorized access to personal accounts.