Misconfigured Database Leaks Info on 150K E-commerce Buyers
Security researchers have found a misconfigured cloud-hosted database leaking over 300,000 records, including sensitive personal information on e-commerce buyers.
A team at Safety Detectives found the leaky Elasticsearch database on July 25 this year but claimed the content had been exposed without any password protection or encryption since November 2020.
Its efforts to close the leak have so far proven unsuccessful, after hosting firm Alibaba did not reply to the team’s outreach, and the identity of the database owner remains a mystery.
All Safety Detectives has been able to ascertain from the 500MB data leak is that the owner is a Chinese ERP provider serving businesses that sell goods on platforms like Amazon and Shopify.
Around half of the 329,000 exposed records contained buyers’ names, phone numbers, email, billing and delivery addresses, according to the report. In some cases, seller names, email addresses and billing information were also leaked.
German, French and Danish e-commerce customers featured among the haul, with as many as 150,000 potentially exposed, the report claimed.
The leaked data would be a goldmine for scammers, who are past masters at reusing personal information in follow-on phishing and identity fraud attempts designed to