[BreachExchange] E-commerce firm StorEnvy hacked; 1.5m plain-text accounts leaked
Destry Winant
destry at riskbasedsecurity.com
Mon May 11 10:19:55 EDT 2020
https://www.hackread.com/e-commerce-firm-storenvy-hacked-accounts-leaked/
StorEnvy database has been dumped on a hacker forum for free download.
The popular e-commerce website StorEnvy known for its online store
building and social marketplace has been hacked. As a result, personal
details of over 1.5 million customers and merchants have been leaked
online on a hacker forum for free download, Hackread.com has learned.
Launched in 2012; the St., Chico, CA-based company is home to millions
of customers who are now at risk.
According to the database seen by Hackread.com, the data contains
emails, passwords, full names, usernames, IP addresses, city, gender,
and links to social media profiles.
What’s worse is that all the data such as passwords are available in
plain-text format. In some cases, order details like date of order,
order number, and payment method used in the purchase can also be
seen. However, apparently, shipping addresses or payment card data is
not in the database.
Nevertheless, all this data combined is a goldmine for hackers and
cybercriminals to carry out phishing/malware attacks, identity-theft
related scams, and compromise accounts using the same passwords on
other sites.
Sample data being traded on a hacker forum (Image: Hackread.com)
Hackread.com got in touch with some Storenvy customers who confirmed
that they are registered with the e-commerce website.
A screenshot sent by one of the affected customers to Hackread.com
Although the exact year of the data breach is yet unknown, based on
the fact that most of the credentials are still working the breach
appears to be recent. Or, it can also be that the database contains
accounts that are inactive and their passwords were not changed for a
long time.
I decided to share with you Storenvy cracked dump merged with full SQL
dump. Below is a sample of the shared data. All passwords are valid
and can be tested on Storenvy, said the hacker on the hacker forum.
It is worth noting that according to some media reports, Storenvy
suffered a data breach in August 2019 in which allegedly 23 million
login credentials were stolen sold on the dark web. However, there was
no actual proof of the breach at that time.
If you are a Storenvy customer or merchant, change your password right
now. Also, change the password for the email address in case you are
using the same password on both accounts, get in touch with the
company to inquire about the breach.
Hackread.com has also contacted Storenvy and this article will be
updated based on their response.
It seems like e-commerce companies around the world are under attack.
Just a few days ago it was reported that Indonesian e-commerce giant
Tokopedia was hacked and login details of 91 million customers were
sold on the dark web.
More information about the BreachExchange
mailing list