Personal information of nearly eight million UK shoppers was exposed to the Internet after a software vendor left a MongoDB database exposed without any authentication. These details included customer names, shipping addresses, email addresses, purchase details and the last four digits of credit card numbers.
Comparitech’s security research team led by Bob Diachenko identified the unsecured MongoDB database on an Amazon Web Services server in early February. The owner of the database was found to be a third-party software vendor who helped merchants to aggregate sales data from multiple online marketplaces and VAT for cross-border sales. The database was secured by the vendor five days after its discovery.
According to Comparitech, around four million of the leaked sales records discovered were related to eBay, Amazon UK, PayPal, Stripe, Shopify, and a few smaller shopping sites.
An Amazon spokesperson said, “We were made aware of an issue with a third-party developer (who works with a number of Amazon sellers), who appears to have held a database containing information from several different companies, including Amazon.”
“The database was available on the internet for a very short period of time. As soon as we were made aware, we ensured the third-party developer took immediate action to remove the database and secure the data. The security of Amazon’s systems was not compromised in any way,” he added.
Exposed online databases enable hackers to carry out massive phishing campaigns
The compromised database that included personal information including customer names, shipping addresses, email addresses, purchases and the last four digits of credit card numbers, contained enough resources to help hackers generate phishing emails to target UK shoppers. If the hackers are able to trick users to share their log-in details, they could theoretically hijack accounts and use stored cards and/or gift tokens to make fraudulent purchases.
Commenting on the massive exposure of personal information of millions of UK shoppers, Terry Greer-King, VP EMEA at SonicWall, said that because companies collect so much consumer data these days, it is more important than ever that they have the security in place to avoid data loss – the larger or more sensitive a company’s data collection, the bigger target it is and the more risk it has if hit.
"Personal information is simply too valuable on the Dark Web. As long as stolen data continues to fetch high prices and equip perpetrators with the means necessary to carry out attacks, hold victims ransom, extort information or destroy property, organisations must exhaust all measures to diligently detect and protect their networks, devices, and users," he added.