SpeedX data leak exposes more than 840 million customer and driver records

News28 May 2026

SpeedX, a U.S.-based last-mile delivery company, exposed more than 840 million customer and driver records through an unsecured Microsoft Azure storage bucket, revealing names, home addresses, shipping labels, parcel delivery photos, and driver identification documents in one of the largest known delivery-related data exposures to date.

The exposed data was discovered in March 2026 and included extensive operational records tied to parcel deliveries across the United States. The files contained customer delivery information, images confirming package drop-offs at residential properties, shipment tracking documentation, and sensitive driver-related records.

SpeedX, which provides last-mile delivery services for major e-commerce platforms including Shein, Temu, Amazon, and TikTok Shop, stated that an internal review identified what it described as a storage configuration issue involving Azure Blob storage metadata responses. The company said its investigation found no evidence of malicious activity, unauthorized access to sensitive customer data, or data exfiltration.

The company maintained that access to stored objects required knowledge of specific object paths and said the incident did not amount to unrestricted public exposure of protected customer information.

Researchers who examined the exposed storage disputed that assessment, stating that access to the files required only knowledge of the storage bucket’s name and did not require specific object path information. The researchers said the scale of the exposed records significantly increased the risk of fraud, social engineering schemes, identity theft, and operational targeting across delivery supply chains.

The leaked storage bucket reportedly contained 11 organizational prefixes grouping different categories of delivery data. One section alone held approximately 618 million files, primarily consisting of parcel photographs and shipping labels that revealed recipient details and delivery locations. Another section included more than 220 million PDF shipping labels documenting multiple stages of parcel transit, including final delivery destinations and recipient addresses.

Additional records included shipment summaries and batch delivery reports containing parcel tracking numbers, retailer information, processing facility addresses, and customer details. Nearly 105,000 files contained photographs of delivery drivers’ licenses, screenshots of SpeedX app credentials, and other supporting documentation believed to be related to driver verification procedures. More than 117,000 application log files were also exposed within the storage environment.

Some shipping labels referenced Raven Force Couriers, a Canadian delivery company that may operate as a cross-border logistics partner connected to SpeedX services.

The exposed storage bucket was secured after disclosure of the issue. Researchers said they did not observe evidence that the leaked information had been maliciously exploited before remediation. However, they warned that automated internet scanning tools routinely search for publicly accessible cloud storage repositories, increasing the possibility that other parties may have accessed or copied the data before the exposure was closed.

Cybersecurity experts warned that the exposed information could enable highly targeted delivery-themed phishing campaigns and other social engineering attacks. Fraudulent text messages or emails requesting package confirmations or address updates could be used to distribute malware or harvest additional personal information. The exposed records could also be combined with data from other breaches to build detailed consumer profiles for criminal use.