Ecommerce giant VTEX leaks details of six million shoppers - here's what we know, and how you can find out if you're affected

News
By published

A large VTEX database was found sitting unprotected online

Data leak
(Image credit: Shutterstock)
  • VTEX database exposed six million users due to a misconfigured, unauthenticated cloud container
  • Leaked data includes emails, addresses, phone numbers, and detailed purchase histories
  • Cybernews alerted VTEX and Brazilian CERT after six months of no response from VTEX

Global ecommerce company VTEX was found leaking sensitive customer data on millions of people, experts have warned.

The alarm was sounded by cybersecurity researchers at Cybernews, who claimed despite their best efforts, they couldn’t reach VTEX and get the company to plug the leak.

Cybernews said that in late February 2025, its researchers discovered an unprotected database containing a “massive chunk” of user data. “The data leak originated from an unauthenticated container. This is a common misconfiguration caused by human error that leaves the cloud storage environment without a password. It makes private data potentially visible to search engines and accessible to anyone online,” the report states.

No response

In total, six million people reportedly have their information out in the open, including email addresses, postal addresses, phone numbers, order details, and other purchase histories - more than enough information to launch phishing attacks, identity theft, and possibly even wire fraud.

The information was stored in Parquet format, a columnar data storage type used to organize large datasets that are often part of a wider data analytics system.

Cybernews tried reaching out to VTEX to get them to lock the database down, but allegedly they never heard back - in more than six months.

The researchers were then forced to report the findings to the Brazilian CERT, as well as to publicly disclose their findings.

“We’ve decided to post our findings to help customers stay vigilant ahead of the seasonal shopping madness that’s about to kick off,” Cybernews said, alluding to the fast-approaching Black Friday.

VTEX is a Brazilian software company offering a cloud commerce platform (SaaS) for digital commerce. It operates in 38 countries, powers more than 3,000 online stores, and services major brands such as Coca-Cola, Sony, or Samsung.

If you’ve made purchases from any of VTEX’s clients in late 2024 and early 2025, there is a good chance you’re affected. You can always run your email address through HaveIBeenPwned? to see if you are exposed, and you can also pay attention to the incoming spam emails to see if any are coming from VTEX’s customers - just make sure not to interact with any of the incoming messages.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.