hosed on Amazon Web Services holding eight million retail sales records from
the European Union was left exposed compromising customer personal and
MongoDB database had no password or other authentication set. It was operated
by a third-party vendor who pulled sales data from a range of retailers,
including Amazon UK, Ebay, Shopify, PayPal and Stripe in order to calculate
value-added taxes for different countries. The information left unprotected
included customer names, email addresses, shipping addresses, purchases and the
last four digits of credit card numbers.
was discovered by Comparitech’s
security research team led by Bob Diachenko on February 3, 2020 at which time
he notified Amazon and the other retailers. On February 8 the owner of the
database was found and informed and immediately shut it down.
eight million records were exposed, Comparitech does not know how many
individuals were involved as some people could have made multiple purchases
that were aggregated on the database.
Comparitech the email addresses and credit card details were not exposed from
Amazon, as it is not collected.
full payment card details were not revealed the treasure trove of data is still
incredibly useful for cybercriminals. One of the primary uses for this data
would be for phishing scams. The information lost would make it easy for a
criminal to create a very convincing email to try and draw out login
credentials or payment information from their retail accounts, Diachenko said.