Eight million EU retail sales records exposed on AWS MongoDB

A database
hosed on Amazon Web Services holding eight million retail sales records from
the European Union was left exposed compromising customer personal and
financial information.

The open
MongoDB database had no password or other authentication set. It was operated
by a third-party vendor who pulled sales data from a range of retailers,
including Amazon UK, Ebay, Shopify, PayPal and Stripe in order to calculate
value-added taxes for different countries. The information left unprotected
included customer names, email addresses, shipping addresses, purchases and the
last four digits of credit card numbers.

The database was discovered by Comparitech’s security research team led by Bob Diachenko on February 3, 2020 at which time he notified Amazon and the other retailers. On February 8 the owner of the database was found and informed and immediately shut it down.

Although
eight million records were exposed, Comparitech does not know how many
individuals were involved as some people could have made multiple purchases
that were aggregated on the database.

Amazon told
Comparitech the email addresses and credit card details were not exposed from
Amazon, as it is not collected.

Even though
full payment card details were not revealed the treasure trove of data is still
incredibly useful for cybercriminals. One of the primary uses for this data
would be for phishing scams. The information lost would make it easy for a
criminal to create a very convincing email to try and draw out login
credentials or payment information from their retail accounts, Diachenko said.