Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday March 17 2020, @08:09AM   Printer-friendly

Data of millions of eBay and Amazon shoppers exposed:

Researchers have discovered another big database containing millions of European customer records left unsecured on Amazon Web Services (AWS) for anyone to find using a search engine.

A total of eight million records were involved, collected via marketplace and payment system APIs belonging to companies including Amazon, eBay, Shopify, PayPal, and Stripe.

Discovered by Comparitech's noted breach hunter Bob Diachenko, the AWS instance containing the MongoDB database became visible on 3 February, where it remained indexable by search engines for five days.

Data in the records included names, shipping addresses, email addresses, phone numbers, items purchased, payments, order IDs, links to Stripe and Shopify invoices, and partially redacted credit cards.

Also included were thousands of Amazon Marketplace Web Services (MWS) queries, an MWS authentication token, and an AWS access key ID.

Because a single customer might generate multiple records, Comparitech wasn't able to estimate how many customers might be affected.

About half of the customers whose records were leaked are from the UK; as far as we can tell, most if not all of the rest are from elsewhere in Europe.

[Ed. note. SoylentNews offers Stripe and PayPal for signing up for a site subscription. The breach mentioned in the story had to do with a company providing VAT (Value Added Tax) calculations for other companies. Since no VAT is required for a subscription, there is no reason for any subscription transactions with us to have been in the database. Out of an abundance of caution, I have reached out to both Stripe and PayPal for their confirmation. We will update this story when new information is made known. --martyb]

:


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by looorg on Tuesday March 17 2020, @09:25AM (1 child)

    by looorg (578) on Tuesday March 17 2020, @09:25AM (#972123)

    Isn't it obvious by now that these companies are storing and hoarding way more information then they actually need to perform their function and service? They also seem prone to skimp on security for your data.

    Collect, use, delete. Not collect, use, store forever like some crazy hoarder.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=2, Touché=1, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 3, Insightful) by Bot on Tuesday March 17 2020, @10:39AM

    by Bot (3902) on Tuesday March 17 2020, @10:39AM (#972135) Journal

    I keep thinking it is a way for crooked employees or actual management to transfer data to a buyer while being only guilty of incompetence rather than malfeasence. Even the guy who gets it can claim incompetence. After, all 8 million records can be transferred in a second, it's not an expensive operation and one that can be done by following the link in the engines.

    --
    Account abandoned.