Security researchers have found a misconfigured cloud-hosted database leaking over 300,000 records, including sensitive personal information on e-commerce buyers.
A team at Safety Detectives found the leaky Elasticsearch database on July 25 this year but claimed the content had been exposed without any password protection or encryption since November 2020.
Its efforts to close the leak have so far proven unsuccessful, after hosting firm Alibaba did not reply to the team’s outreach, and the identity of the database owner remains a mystery.
All Safety Detectives has been able to ascertain from the 500MB data leak is that the owner is a Chinese ERP provider serving businesses that sell goods on platforms like Amazon and Shopify.
Around half of the 329,000 exposed records contained buyers’ names, phone numbers, email, billing, and delivery addresses, according to the report. In some cases, seller names, email addresses, and billing information were also leaked.
German, French, and Danish e-commerce customers featured among the haul, with as many as 150,000 potentially exposed, the report claimed.
The leaked data would be a goldmine for scammers, who are past masters at reusing personal information in follow-on phishing and identity fraud attempts designed to elicit more sensitive financial info.
“Home addresses are available on the database too. This makes home invasion/burglary a real possibility if personally identifiable information (PII) is sold on to other criminals. Thieves may target users who make high-value orders in the hope the victim’s house is full of expensive goods,” the report claimed.
“Theft of ordered goods is another risk associated with leaked order details. Tracking links, shipment times, courier information, delivery addresses, and order information provide criminals with enough data to intercept and steal a user’s ordered goods.”
If the database owner is finally tracked down, they could face investigation from regulators of both the GDPR and China’s new equivalent legislation, the Personal Information Protection Law (PIPL).
Shopify powers a lot of the e-commerce world. As a result, both consumers and business owners face the prospect of scams. After all, where there is money to be made, there are individuals looking to take advantage.
Fortunately, as Shopify continues to flourish, the platform certainly offers way more good than bad. However, everyone should be aware of the downsides (like everywhere on the internet) of a massive platform. To help, a few of the most well-known Shopify scams target consumers and business owners.
Off Platform Sales Scam
A common scheme starts off with a trusted purchase process. The so-called direct client scheme turns into a scam as routine purchases move off the e-commerce platform. For example, a “real” site with true inventory seeks consumers. Customers find the site and make a purchase. The scam site sells and delivers the merchandise as expected.
Everyone is happy. However, after a few purchases, the scammers reach out and request a sale completed off the trusted platform due to excessive fees. The consumer makes the purchase, but the merchandise is never provided. In the end, the scammer makes a little profit from each good sale and then a lot on the final sale.