Major data leak exposes 1.6M Etsy, TikTok Shop customer emails

Last updated: 29 May 2025
Etsy, Tik Tok shop data leak
Image by Cybernews.

Hundreds of thousands of customer files have been discovered leaking from an unprotected instance. Researchers believe the data exposed mostly American customers of Etsy, Poshmark, and TikTok shops.

While online shopping has long ceased to be a perilous activity, some dangers still lurk in the digital shadows. For example, the Cybernews research team recently found two unprotected Azure Blob Storage containers containing over 1.6 million files.

According to the team, both exposed instances contained shipping email confirmations in HTML format. While the vast majority of the exposed data comes from users in the United States, some affected individuals seem to be from Canada and Australia.

ADVERTISEMENT

“Given Etsy’s global prominence as a marketplace for millions of small businesses, the exposure of its shipping email confirmation data has serious implications for the privacy and safety of its customers,” researchers said.

Stefanie Ernestas Naprys Paulina Okunyte Niamh Ancell BW
Don’t miss our latest stories on Google News
Google News Follow us

Most of the exposed shipping details come from the global e-commerce company Etsy, although researchers noted that some entries come from TikTok shops, Poshmark, and Embroly.

Most of the files are email versions of shipping confirmations, meaning the exposed include:

  • Full names
  • Home addresses
  • Email addresses
  • Shipping order details

Why is an Etsy shipping email leak dangerous?

Skilled attackers may utilize leaked details for various nefarious purposes. For example, they could impersonate Etsy or associated shipping services to launch convincing phishing campaigns.

Specific order details could be utilized to trick recipients into revealing sensitive personal or financial information. The emails would appear legitimate due to the inclusion of order data, increasing the likelihood of successful exploitation.

ADVERTISEMENT

“Given Etsy’s global prominence as a marketplace for millions of small businesses, the exposure of its shipping email confirmation data has serious implications for the privacy and safety of its customers,”

researchers said.

“With access to personal information like full names and addresses, attackers could impersonate trusted shipping providers or Etsy itself, making fraudulent communications seem more credible and urging victims to take actions such as confirming personal details, making payment, or clicking malicious links,” our researchers said.

Moreover, armed with email addresses and detailed shipping information, criminals could engage in social engineering, manipulating victims into sharing additional personal or financial information.

“The email confirmations, which contain personal and order information, could be used to deliver malware. By crafting emails that reference specific products or recent orders, cybercriminals may lure recipients into clicking links or opening attachments that lead to malware infections,” the team explained.

Who owns the leaked Etsy shipping confirmations?

Researchers could not attribute the exact owner of the exposed instance. However, an analysis of processing records indicates that the affected orders were for custom embroidery designs, with designer names and order details linking back to Vietnamese-based embroidery services.

Evidence strongly suggests it may be a single entity that has set up multiple shops across popular e-commerce platforms, with the most affected customers originating from Etsy. However, the exposed instance lacks the details to identify the exact owner of the misconfigured instance.

To mitigate the issue and avoid similar problems in the future, researchers advise:

  • Implementing more stringent security measures to prevent unauthorized access to sensitive data in cloud storage environments.
  • Conducting a retrospective review of access logs to determine if any unauthorized entities accessed the bucket.
  • Enabling server-side encryption to protect data at rest and ensure its confidentiality.
  • Utilizing Azure Key Vault for securely managing encryption keys.
  • Ensuring secure communication by enabling SSL/TLS protocols for data in transit.
  • Adopting regular audits and security checks, and consider staff training to improve awareness of data security practices.
ADVERTISEMENT
  • Leak discovered: March 12th, 2025
  • CERT contacted: March 28th, 2025
Share
Post
Share
Share
Share
More from Cybernews
VR forest bathing can reduce stress, scientists find
Crypto scammers are now “quantum experts” targeting bitcoin users
TikTok’s 5 to 9 grind is burning out Gen Z even after hours
Who gets promoted and fired? More than half of US managers use AI to decide
Fake dental clinic used online video tutorials to perform root canals and tooth extractions
Crunchyroll is investigating bad translations by AI
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked