Millions of online shoppers have data exposed

Best credit card processing service
(Image credit: Pixabay)

A database containing nearly eight million sales records was left exposed online without a password by a software vendor used by small retailers in the EU.

According to Comparitech, the documents in the database contained sales records including customer names, email addresses, addresses, purchases, the last four digits of credit card numbers and other personal information. Since the database wasn't protected with a password, anyone could have found and accessed the data it contained.

The software vendor's app pulled sales records from Amazon UK, Ebay, Shopify, PayPal and Stripe to aggregate retailers' sales data to calculate value-added taxes for different countries in the EU. As of now, the exact number of retailers and customers affected is still unknown.

Independent security researcher Bob Diachenko and Comparitech's security research team first discovered the exposed AWS server containing the MongoDB database last month. Diachenko then took steps to responsibly and quickly disclose the data exposure but unauthorized parties may have accessed the information contained in the database before it was eventually secured.

Exposed data

The sales records contained on the server were exposed for about five days but cybercriminals still could have managed to steal customer data during that short time period.

Of the exposed data, roughly half of it was in the form of sales records from Amazon UK and Ebay. Shopify, PayPal and Stripe records made up a smaller portion of the data along with several other smaller marketplaces and payment systems.

Unfortunately for customers in the UK, the vast majority of the sales records contained their personal information including names, addresses, emails, phone numbers, orders, payments, redacted credit card numbers, transaction and order IDs and links to invoices for Strip and Shopify. An Amazon spokesperson did reach out to Comparitech to inform them that the email addresses and credit card details from its online store were not exposed. 

An eBay spokesperson told TechRadar Pro, "We investigated an incident regarding information from a third party developer and can confirm that no eBay systems were compromised and no data was taken from eBay. Our customers’ privacy and data remains a top priority. We are committed to creating an experience on our sites and services that is safe, secure, and trustworthy."

While 8m sales records were exposed by the software vendor, it doesn't mean that 8m people were affected as each record is for an individual sale and a single customer might account for multiple sales.

  • Also check out our complete list of the best VPN services

Via Comparitech

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.