[BreachExchange] Unsecured Database Exposed 8 Million UK Shoppers Records

[Destry Winant]

https://latesthackingnews.com/2020/03/16/unsecured-database-exposed-8-million-uk-shoppers-records/

Another unsecured database has leaked data online threatening the
privacy of users. This time, the unsecured database belonging to a
third-party exposed 8 million UK shoppers records.

UK Shoppers Records Exposed Security researcher Bob Diachenko has
found another unsecured database exposing a huge amount of user
records. This time, the unsecured MongoDB database exposed UK
shoppers’ data containing explicit information with over 8 million
records.

As detailed in a blog post by Comparitech, the researcher found the
exposed MongoDB database on an unsecured AWS server. Further research
linked the leaked details to customers of various e-commerce
services.The database itself belonged to a third-party.

The vendor’s app pulled sales records from marketplace and payment
system APIs like that of Amazon UK, eBay, Shopify, PayPal, and Stripe
to aggregate retailers’ sales data and calculate value-added taxes for
different EU countries. In brief, the database included explicit
personal details of the customers as well as the information regarding
sales.

The leaked data included customers’ names, email addresses, contact
numbers, purchase details, shipping addresses, order IDs, and last
four digits of the payment card numbers. It also included links for
Shopify and Stripe invoices.

A major portion of the exposed data belonged to Amazon UK and eBay.
Whereas, the other vendors’ data, Shopify, Stripe, and PayPal,
comprised of small portions.

Database Now Offline

 Upon discovering the unprotected database that was exposed for five
days, researchers alerted Amazon of the matter since they hosted the
server. While it took the researchers some time to identify the
database owner, they later decided to keep its name undisclosed. After
the report, Amazon swiftly took action to pull the database offline.

Below is a copy of their statement to the researchers,

We were made aware of an issue with a third party developer (who works
with a number of Amazon sellers), who appears to have held a database
containing information from several different companies, including
Amazon. The database was available on the internet for a very short
period of time. As soon as we were made aware, we ensured the third
party developer took immediate action to remove the database and
secure the data."

 The security of Amazon’s systems was not compromised in any way.
While the database is now offline, the researchers still urge the
users to stay careful regarding fraudulent activities targeting them.