A database containing nearly 8m sales records was left exposed online without a password by a software vendor used by small retailers in the EU according to a new report from Comparitech.
The documents in the database contained sales records including customer names, email addresses, addresses, purchases, the last four digits of credit card numbers and other personal information. Since the database wasn’t protected with a password, anyone could have found and accessed the data it contained.
The software vendor’s app pulled sales records from Amazon UK, Ebay, Shopify, PayPal and Stripe to aggregate retailers’ sales data to calculate value-added taxes for different countries in the EU. As of now, the exact number of retailers and customers affected is still unknown.
Independent security researcher Bob Diachenko and Comparitech’s security research team first discovered the exposed AWS server containing the MongoDB database last month. Diachenko then took steps to responsibly and quickly disclose the data exposure but unauthorized parties may have accessed the information contained in the database before it was eventually secured.
The sales records contained on the server were exposed for about five days but cybercriminals still could have managed to steal customer data during that short time period.
Of the exposed data, roughly half of it was in the form of sales records from Amazon UK and Ebay. Shopify, PayPal and Stripe records made up a smaller portion of the data along with several other smaller marketplaces and payment systems.
Unfortunately for customers in the UK, the vast majority of the sales records contained their personal information including names, addresses, emails, phone numbers, orders, payments, redacted credit card numbers, transaction and order IDs and links to invoices for Strip and Shopify. An Amazon spokesperson did reach out to Comparitech to inform them that the email addresses and credit card details from its online store were not exposed.
While 8m sales records were exposed by the software vendor, it doesn’t mean that 8m people were affected as each record is for an individual sale and a single customer might account for multiple sales.
- Also check out our complete list of the best VPN services