Data leak at Editorialist affects thousands of shoppers


The luxury fashion shopping platform Editorialist has been leaking user data for months.

Editorialist.com, formerly Project YX, is an e-commerce platform for luxury fashion that also features personal styling advice to boost sales.

On September 26th, 2023, the Cybernews research team discovered an exposed cloud storage (namely, an Amazon S3 bucket) that, considering the sensitive data it contained, most likely wasn’t meant to be accessible to the public.

ADVERTISEMENT

The storage, seemingly left open accidentally via a misconfiguration, belongs to Editorialist.com and contains over 7,000 client invoices with Editorialist.com clients’ names, addresses, and descriptions of shopping items.

It also contains 316 spreadsheets (XLSX/CSV files) under the “credit card sheets” folder and exposes the following information:

  • User ID
  • First and last name
  • Card name and type
  • The last four payment card digits
  • Card expiration date
  • Cardholder’s email
ADVERTISEMENT
  • And local amount, among other information.
Editorialist invoice
Screenshot by Cybernews.

Upon this discovery, we immediately contacted the company. Unfortunately, the data remained exposed for another five months, with our intel showing it was only secured between the end of February and the beginning of March.

We have yet to receive a response to our requests for on-the-record comments.

Since Editorialist.com is a luxury fashion shopping website, its clients are a highly lucrative target.

“Shopping information and transaction data can greatly add to phishing attacks,” our researchers said.

“Victims should be on the lookout for targeted phishing emails from fraudsters posing as Editorialist or a related company. Never click on links or attachments in unsolicited emails.”

ADVERTISEMENT