Buyer names, delivery addresses, ordered items, and other sensitive information exposed in over 300,00 leaked records.
Security researchers at Safety Detectives discovered a data leak affecting an unidentified Chinese enterprise resource planning (ERP) software provider.
ERP platforms usually allow users to manage their businesses from accounting to supply-chain management tasks. The likeliest clients are businesses selling goods and services on sites like Amazon and Shopify.
According to the researchers, the leak exposed more than 300,000 records in a 500MB dataset. The breach is likely to affect 50,000-150,000 ecommerce buyers and sellers.
The owner ElasticSearch server where the data was stored is unknown. However, the researchers believe the owner to be a Chinese ERP operator.
"All of the products we saw while investigating the server appear to be Chinese exports, and many of the database's logs are written in Chinese, too," researchers at Safety Detectives claim.
The Alibaba Cloud-hosted unencrypted server had no password protection. Over half of 330,000 leaked records contain buyers' payment records and other personally identifiable information (PII).
Leaked data includes buyer names, phone numbers, email, delivery, billing addresses, ordered items, and paid prices. Researchers found that the dataset also had delivery information like courier service names, order tracking URLs, and shipping dates.
Even though the servers are likely to belong to a Chinese company, most of the data exposed belong to European customers. Data on Danish, German, and French businesses were identifiable in the dataset.
According to the researchers, exposed seller names, email addresses, and profit estimations show that ecommerce vendors using the ERP platform are affected, too.
Safety Detectives discovered the database on 25 July and estimate the content has been exposed since November 2020. Researchers claim to have contacted the Alibaba Abuse Department about the incident but received no reply.
German CERT was also contacted about the discovery but was similarly unable to reach the hosting provider.
Cascade of problems
A breach of this magnitude can result in a cascade of issues for businesses with leaked data. Ecommerce buyer data was leaked from a third party, which means they're unlikely to find out that their information was revealed.
Threat actors might target affected businesses in phishing attacks, impersonating business partners and sellers. Data leak of this sort allows cybercriminals to carry out sophisticated social engineering attacks due to the volume of information at hand.
Leaked order numbers and tracking details can even lead to theft of goods, while leaked home addresses might even lead to home invasion or burglary.Meanwhile, ERP users whose data was leaked could be at risk of business espionage.
To prevent future damage, researchers provide several recommendations:
- Only provide your personal information to trustworthy companies/individuals.
- Only visit secure website domains. Secure domains begin with 'HTTPS and/or a closed lock symbol.
- Be cautious when asked to provide the most important forms of personal information (keep government ID numbers and personal preferences to yourself).
- Create secure passwords. Use a combination of letters, caps, numbers, and symbols when creating a password. Update your passwords regularly.
- Don't click a link in an email, SMS message, or otherwise unless you can be 100% sure the sender is legitimate.
- Edit your privacy settings on social media. Your accounts should only display your content and personal details to trusted users and friends.
- Limit the information you display when connected to a public Wi-Fi network. Typing out credit card details should be avoided at all costs.
More from CyberNews
Subscribe to our newsletter