A top online gift card store may have exposed private data on hundreds of thousands of users

News
By
published

MyGiftCardSupply was keeping sensitive data in an unprotected database

A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
(Image credit: Shutterstock / JLStock)
  • Security researcher finds large unsecured database belonging to MyGiftCardSupply
  • It contained images of vital documents, as well as selfie photos
  • The company has since locked it down, but users should still be wary

A database containing sensitive information on hundreds of thousands of users was sitting unprotected online, available to anyone who knew where to look, experts have warned.

Cybersecurity researcher JayeLTee found a database containing driving licenses, passports, and other identity documents, which a subsequent investigation determined belonged to a company called MyGiftCardSupply, which sells digital gift cards that customers can redeem either online, or at popular stores.

The data was hosted on Azure and contained 600,000 front and back images of various identity documents. Furthermore, it contained roughly 200,000 selfies. Some companies require users to take a selfie holding a document, as proof of ownership and identity.

Full audit

Gift cards are often abused in online scams. People that steal money, especially cryptocurrency, will often purchase gift cards to avoid being tracked by law enforcement. To eliminate fraud and comply with local regulations, MyGiftCardSupply required all customers to go through a mandatory Know Your Customer (KYC) process, which requires them to verify their identities.

Unfortunately, the company kept that data unprotected, for an undisclosed amount of time. We don’t know if any threat actors discovered it beforehand, but it is a possibility. This type of data can be sold on the dark web, used in phishing and identity theft, and even abused in wire fraud.

JayeLTee said they reached out to MyGiftCardSupply to no avail, after which they contacted TechCrunch. In a response to the publication, the company’s founder, Sam Gastro, acknowledged the researcher’s findings, saying “The files are now secure, and we are doing a full audit of the KYC verification procedure.”

“Going forward, we are going to delete the files promptly after doing the identity verification.”

The company says it locked down the database on January 1, 2025.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Someone checking their credit card details online.
Millions of credit card details leaked online - watch out if you're paying for Christmas
Data leak
Popular online bill paying site leaks data of thousands of users
Businessman holding a magnifier and searching for a hacker within a business team.
Top Mexican fintech firm leaks details on 1.6 million customers
Data leak
Top healthcare company exposes data on millions of patients - find out if you're affected
Data leak
AI development service Builder.ai potentially exposed over 1TB of user data
A man looking at a tablet with a brown Best Buy package on the desk in front of him
Huge Christmas data breach - 14 million shipping records leaked, putting shoppers at risk
Latest in Security
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
Red padlock open on electric circuits network dark red background
Aviaton firms hit by devious new polyglot malware
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Security
Broadcom releases fixes for multiple VMware security flaws
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Latest in News
An Nvidia GeForce RTX 5070
Nvidia confirms that an RTX 5070 Founders Edition is coming... just not on launch day
Microsoft UK CEO Darren Hardman AI Tour London 2025
Microsoft - UK can help drive the global AI future, but only with the proper buy-in
Asus Prime OC RTX 5070 graphics card with three fans, shown at an angle
Asus reveals Nvidia RTX 5070 launch pricing, and while one model is at MSRP – thankfully – the others make me want to give up my search for a next-gen GPU
OpenAI CEO Sam Altman attends the artificial intelligence Revolution Forum. New York, US - 13 Jan 2023
Sam Altman tweets delay to ChatGPT-4.5 launch while also proposing a shocking new payment structure
Philips Hue lights being dimmed
Got Philips Hue lights? A free app update delivers these 3 improvements
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
More about security
Red padlock open on electric circuits network dark red background

Aviaton firms hit by devious new polyglot malware
Woman using iMessage on iPhone

Apple to take legal action against British Government over backdoor request
DJI Osmo Action 4

The impressive DJI Osmo Action 4 drops to a record-low price at Amazon
See more latest