A software vendor used by small retailers in the EU exposed a database of nearly 8 million sales records on the web without a password or any other authentication required to access it. The documents contained sales records including customer names, email addresses, shipping addresses, purchases, and the last four digits of credit card numbers, among other info. Anyone could find and access the data.

Diachenko took steps to responsibly disclose the data exposure as quickly as possible, but other unauthorized parties could have accessed the information in the meantime. The data could be used by bad actors to phish or scam customers with targeted messages.

Comparitech also contacted PayPal, Stripe, and Shopify, but none gave comment on the record about the incident.

Timeline of the exposure

In all, the data was exposed for about five days. That would give less scrupulous data thieves plenty of time to find and steal the data, but we do not know for sure whether any other unauthorized parties accessed it.

What data was exposed?

Some Ebay purchases were affected, but that data did not come directly from Ebay, an Ebay spokesperson told Comparitech. “We investigated and found that no eBay systems were compromised and no data was taken from eBay,” the spokesperson said. “The incident appears to be related to a PayPal API, which is under independent control and not managed by eBay.”

The vast majority of records personally identified customers in the UK, including:

  • Customer names
  • Shipping addresses
  • Email addresses
  • Phone numbers
  • Orders (items purchased)
  • Payments
  • Redacted credit card numbers (last four digits)
  • Transaction and order IDs
  • Links to invoices for Stripe and Shopify

Although we know about 8 million records were exposed in total, that does not mean 8 million people were affected. Each record is an individual sale, but a single customer might account for multiple sales.

Dangers of exposed data to customers

This exposure exemplifies how, when handing over personal and payment details to a company online, that info often passes through the hands of various third parties contracted to process, organize, and analyze it. Rarely are such tasks handled solely in house.

Although a third-party software vendor was responsible for the database, affected customers will likely lay blame on the vendors who use it and the marketplaces where they made purchases.

About APIs

Developers are required to properly secure data upon receipt, storage, usage, and transfer. Failure to comply with data protection protection policies can result in suspension or termination of API access.

One of the steps Stripe takes to help users potentially mitigate security incidents is to scan public code repositories, merchant applications and other websites for our secret API keys. If it sees a specific user’s secret key publicly visible somewhere, Stripe automatically emails them with a description of where we saw it, such as a URL or line number. It does not seem that would have prevented this incident, however.

Comparitech elected not to publicly disclose the name of the vendor responsible for the database because it is a legitimate small business. Our intent is to raise awareness and mitigate harm to customers who might be affected, not to punish mistakes. Given that the vast majority of customers are probably not aware their data ever passed through this vendor’s hands, we do not believe there is much to be gained from exposing it.

How and why we discovered this incident

Comparitech and security researcher Bob Diachenko collaborate to uncover unsecured personal data that’s been exposed on the web. Upon finding exposed personal data, we immediately take steps to identify responsible parties and notify them.

After responsible disclosure, we investigate the data to learn who is affected and what personal information was leaked. Once the data has been secured, we publish a report like this one to raise public awareness and curb potential harm to end users.

Our goal is to head off any malicious attacks that leverage personal data, such as identity theft and phishing.

Previous reports

Comparitech and Diachenko have worked together on a number of data incident reports affecting millions of people, including:

  • 250 million Microsoft customer service and support records exposed
  • 267 million Facebook user IDs and phone numbers exposed online
  • 2.7 billion exposed email addresses from mostly Chinese domains, 1 million of which included passwords
  • Detailed personal records of 188 million people found exposed on the web
  • 7 million student records exposed by K12.com
  • 5 million personal records belonging to MedicareSupplement.com exposed to public
  • 2.8 million CenturyLink customer records exposed
  • 700k Choice Hotels customer records leaked