Original Post from InfoSecurity Magazine
Eight Million Shopper Records Leaked Online
Nearly eight million sales records containing the personal information of UK shoppers have been discovered exposed to the public-facing internet, after another cloud misconfiguration.
Noted researcher Bob Diachenko discovered the unsecured MongoDB database residing on an Amazon Web Services (AWS) server on February 3.
It was secured five days later, after Diachenko identified and notified the owner, a third-party company that helps merchants to aggregate sales data from multiple online marketplaces and VAT for cross-border sales.
According to Comparitech, around half of the eight million sales records discovered in the database related to Amazon UK and eBay, with Shopify, PayPal, Stripe and a few smaller marketplaces and payment companies accounting for the rest.
“We were made aware of an issue with a third-party developer (who works with a number of Amazon sellers), who appears to have held a database containing information from several different companies, including Amazon,” an Amazon statement explained.
“The database was available on the internet for a very short period of time. As soon as we were made aware, we ensured the third-party developer took immediate action to remove the database and secure the data. The security of Amazon’s systems was not compromised in any way.”
Exposed data included customer names, email addresses, shipping addresses, purchases and the last four digits of credit card numbers — more than enough for hackers to craft convincing follow-on phishing emails to target those customers.
If they were able to trick users into handing over their log-ins, they could theoretically hijack accounts and use stored cards and/or gift tokens to make fraudulent purchases.
Vinay Sridhara, CTO of Balbix, argued that the incident follows the pattern of countless other data leaks over recent years.
“Despite billions invested in security, enterprises are failing at the infosec equivalent of washing their hands,” he added.
“Since an organization can’t improve what it can’t measure, the starting point for a company to improve their cyber-hygiene is to inventory, categorize and measure the criticality of their assets. From there, basic resilience begins with identity, encryption and network segmentation.”
Go to Source