Collectibles.com, a collectible cards marketplace, has leaked sensitive details of nearly 900K customers, exposing clients’ card listings, transaction records, full names, and other sensitive information.
The market for collectible trading cards hovers around $2 billion. There’s a huge number of card enthusiasts out there, and they probably wouldn’t expect their data to go public.
The Cybernews research team has discovered and exposed Elasticsearch cluster belonging to Collectibles.com, a marketplace also known as Cardbase.
The online marketplace is a tool to track, sell and purchase trading cards. Cardbase rebranded as Collectibles.com to expand its business and include other collectibles, beyond trading cards.
According to the team, nearly 300GB of Collectibles.com data was exposed, encompassing over 870,000 records, with each representing a different user of the platform.
“The exposure of user details and transaction histories poses a significant security risk, potentially enabling identity theft, targeted fraud, and account takeovers,” our researchers said.
The team contacted the company after discovering the issue, but besides an automated response, the company did not acknowledge the data leak. However, the exposed instance was eventually closed and is no longer accessible to the public.
We have reached out for an official comment and will update the article once we receive a reply.
What Collectibles.com data was leaked?
The exposed cluster contained a large volume of data, with troves of personal identifiers and sensitive information. According to the team exposed details include:
- Full names
- Email addresses
- Profile picture links
- Other user account details
- Collectible card sales
- Transactional data
Researchers believe the leaked data can only be described as highly sensitive as it can be exploited for identity theft, fraud and targeted scams. For example, attackers can use names, email, addresses and other account details to impersonate exposed individuals, setting up fake accounts in their name.
More worryingly, leaking transactional data and collectible cards sales info may provide threat actors with insights into user financial behaviors. That, in turn, can enable malicious actors to focus their efforts on high-value targets.
To get the most out of the leak, attackers could craft spear phishing campaigns that focus on the most valuable targets, coaxing them into revealing more sensitive details via malicious emails or text messages.
What’s worse, no official communication or confirmation from the company leaves the platforms’ users in the dark about the safety of their data as well as their valuables.
The database remained open for over 10 days. While there’s no confirmation that threat actors accessed the data, cybercriminals scour the net looking for exposed instances. These efforts are often automated, with a 10-day window being more than enough to scan and download information stored on an exposed cluster.
“For one, leaks like this one may incur reputational damage. The platforms’ users may lose trust in its ability to keep their data, which includes information on their valuables, safe,” the team said.
To mitigate the issue and avoid similar mishaps in the future, researchers advise to:
- Restrict public access and require authentication for Elasticsearch instances.
- Inform affected individuals about the exposure, advising vigilance against phishing or other malicious attempts.
- Store sensitive data in encrypted form and enforce strict access privileges.
- Deploy continuous security monitoring to detect and block suspicious activity in real time.
- Evaluate the breach under relevant data protection regulations (e.g., GDPR) and notify authorities as necessary.
- Develop a robust, documented plan for quickly identifying, investigating, and responding to future breaches.
- Leak discovered: December 9th, 2024
- Initial disclosure: December 9th, 2024
- Leak closed: Late December, 2024
Your email address will not be published. Required fields are markedmarked