SoylentNews

upstart writes in with an IRC submission for SoyCow420:

Data of millions of eBay and Amazon shoppers exposed:

Researchers have discovered another big database containing millions of European customer records left unsecured on Amazon Web Services (AWS) for anyone to find using a search engine.

A total of eight million records were involved, collected via marketplace and payment system APIs belonging to companies including Amazon, eBay, Shopify, PayPal, and Stripe.

Discovered by Comparitech's noted breach hunter Bob Diachenko, the AWS instance containing the MongoDB database became visible on 3 February, where it remained indexable by search engines for five days.

Data in the records included names, shipping addresses, email addresses, phone numbers, items purchased, payments, order IDs, links to Stripe and Shopify invoices, and partially redacted credit cards.

Also included were thousands of Amazon Marketplace Web Services (MWS) queries, an MWS authentication token, and an AWS access key ID.

Because a single customer might generate multiple records, Comparitech wasn't able to estimate how many customers might be affected.

About half of the customers whose records were leaked are from the UK; as far as we can tell, most if not all of the rest are from elsewhere in Europe.

[Ed. note. SoylentNews offers Stripe and PayPal for signing up for a site subscription. The breach mentioned in the story had to do with a company providing VAT (Value Added Tax) calculations for other companies. Since no VAT is required for a subscription, there is no reason for any subscription transactions with us to have been in the database. Out of an abundance of caution, I have reached out to both Stripe and PayPal for their confirmation. We will update this story when new information is made known. --martyb]

:

Original Submission