Hipshipper shipping labels — Image by Cybernews.

Hipshipper, an international shipping platform used by eBay, Shopify and Amazon sellers, has exposed millions of shipping labels, revealing personal customer data.

There are infinite ways to lose control of your personal details, as the Cybernews research team has proven time and again. The latest addition to the mix – ordering a parcel. According to the team, an international shipping platform has leaked millions of shipping labels.

What’s worse, the open instance was discovered in December, a peak month for international shipping as hundreds of millions send and receive gifts worldwide. Meanwhile, Hipshipper offers fully tracked delivery to over 150 countries, free insurance, and hassle-free returns.

The public-facing labels that the team discovered are crucial for any international shipping item, as they say what’s in the box and where it’s supposed to go. However, Hipshipper left an unprotected AWS bucket with over 14.3 million records, mostly shipping labels and customs declaration forms.

“Cybercriminals can exploit leaked data to orchestrate advanced scams and phishing attacks. For example, crooks may impersonate trusted businesses and distribute fraudulent messages that leverage specific order details to demand urgent verification of personal or financial information,” our researchers said.

The only silver lining is that after Cybernews contacted Hipshipper, the company closed the exposed bucket, and the data stored is no longer accessible to the public. To understand the wider impact of the leak, we have reached out to the company and will update the article once we receive a comment.

data sample — Sample of the leaked data. Image by Cybernews.

What Hipshipper data was leaked?

Researchers believe that the data stored on the exposed bucket included buyers’ personal details, such as:

Full names
Home addresses
Phone numbers
Order details (dates of mailing, parcel information, etc.)

While there’s no indication that cybercriminals got their hands on the exposed bucket, millions of malicious actors use automated bots to scour the internet for similar leaks, hoping they could use data for malicious purposes.

For example, crafty attackers could employ the details to impersonate businesses and lure sensitive information from customers. With shipping labels at hand, attackers could reference specific orders, adding credibility to otherwise fraudulent demands.

“Armed with leaked information about recent purchases or interactions, they enhance their plausibility and manipulate individuals into revealing sensitive data. Victims are more likely to comply, believing they are addressing an urgent and legitimate issue,” the team said.

Stay informed and get our latest stories on Google News

Moreover, cybercrooks could carry out targeted malware attacks. Leaked data assists their efforts as malicious actors can employ exposed details to craft messages referencing specific products or orders to trick victims into clicking malicious links or downloading harmful files.

“Revealing personal details may even pose risks to physical safety. Criminals could use this information for stalking, harassment, or planning burglaries. Furthermore, attackers may compile and use leaked data for financial or personal gain, often subjecting victims to harassment, reputational damage, or other harmful actions,” the team explained.

To avoid future data leaks, researchers advise businesses to:

Change the access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorized users or services have the necessary access
Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors
Enable server-side encryption to protect data at rest.
Use AWS Key Management Service (KMS) to manage encryption keys securely
Implement SSL/TLS for data in transit to ensure secure communication
Consider implementing security best practices including regular audits, automated security checks, and employee training