Anime figurine maker exposes North American customer names, home addresses


Good Smile Company, a Japanese hobby products maker, may have inadvertently created hundreds of thousands of frowns after a misconfigured instance was discovered leaking sensitive details for months.

The company, best known for anime and gaming figurines, misconfigured an Amazon web services (AWS) simple storage service (S3) bucket, exposing a whopping 1.2 million files, the Cybernews research team discovered.

However, only a fraction of the exposed files, 156 CSV (comma-separated values) files, and 1058 XLSX files, contain sensitive information. According to the team, the exposed data hides the personally identifiable information (PII) of over 270,000 Good Smile Company customers.

ADVERTISEMENT

Most of the customers who had their details revealed to anyone on the internet reside in the US and Canada. The exposed customer details include:

  • Full names
  • Email addresses
  • Nicknames
  • Home addresses
  • Order details (order date, type of purchase, payment method, and amount)
  • IP addresses

What’s worse, the data has been exposed since at least April 2024, when the team first discovered the open instance. Multiple attempts to reach out to the Good Smile Company bore no fruit, and the instance was still open at the time of writing.

We have contacted the company for comment and will update the article once we receive a reply.

Leaked data
Sample of the leaked data. Image by Cybernews.

Nothing to smile about

Leaving chunks of PII belonging to a group of people with specialized interests invites attackers to use the situation to their advantage.

“Cybercriminals could use the exposed emails and phone numbers to conduct targeted phishing attacks. The company’s customers could receive fraudulent emails that appear to be official correspondence from the Good Smile Company, further compromising its customers,” researchers said.

ADVERTISEMENT

The exposed details could be utilized for social engineering attacks, with malicious actors attempting to deceive victims into disclosing additional personal data or taking actions that might jeopardize their security.

“Cybercriminals may also use the leaked information to try gaining access to customers’ existing accounts as some services employ personal information like home addresses for identity verification purposes,” the team explained.

Doxxing, the practice of disclosing or publishing personal information about a person without that person's permission, is another way attackers can employ the leaked data.

Researchers claim that cybercriminals, better known as “doxxers,” constantly mine the internet for personal data to exploit unwary victims. Their motivations range from personal to financial.

Good Smile Company, established in Japan in 2001, designs, markets, and distributes figurines based on anime, manga, or video games. Its products have a dedicated fan base in Japan, the USA, and China.

To mitigate the issue, Cybernews researchers advise to:

  • Change the access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorized users or services have the necessary access.
  • Monitor retrospectively access logs to assess whether unauthorized actors have accessed the bucket.
  • Enable server-side encryption to protect data at rest.
  • Use AWS Key Management Service (KMS) to manage encryption keys securely.
  • Implement SSL/TLS for data in transit to ensure secure communication.
  • Consider implementing security best practices, including regular audits, automated security checks, and employee training.