A database containing the details of eight million transactions has been put online without any protection. It included a lot of personal information from customers of Amazon, eBay, PayPal, and other merchant sites.
A team of security researchers from Comparitech, led by Bob Diachenko, discovered a database containing information relating to eight million transactions. Half come from Amazon UK and eBay, while the other half are from customers of Shopify, PayPal, Stripe, and other merchant sites.
It is a MongoDB database hosted by Amazon Web Services (AWS), put online without encryption or password. Its content was indexed by search engines on February 2, and discovered by researchers the next day. Bob Diachenko immediately contacted Amazon but was unable to identify the owner of the database until February 8. The latter then deactivated it within the hour.
The data could be used for a targeted phishing campaign
The name of the responsible company has not been released, but the information comes from an application used by sellers to calculate cross-border VAT for different European countries. They include the names of customers, e-mail and postal addresses, telephone numbers, the list of products purchased and the last four digits of the number of the bank card used.
Thousands of requests Amazon Marketplace Web Services (MWS), a token for authentication MWS, a key identifier access AWS and a secret key were also exposed. They could be used to retrieve other information on sellers’ transactions. According to an Amazon spokesperson, the database did not contain customer passwords or complete payment information. Researchers don’t know if others have been able to access the database, the content of which could be used to craft highly targeted and therefore more credible phishing emails.