Data of 34M+ orders exposed in major Sydney Tools data leak

Last updated: 27 March 2025
Sydney tools data leak
Image by Cybernews.

Sydney Tools, Australia’s Home Depot equivalent, has exposed data on tens of millions of online orders, revealing customer names, home addresses, and other details.

Self-reliance doesn’t end with perfecting the DIY lifestyle – fixing digital holes is just as important. Take professional tools wholesaler and retailer Sydney Tool as an example. It left a database unprotected, leaking employee and customer data.

The exposed Clickhouse database contained over 5,000 entries with data on the company’s past and present employees. Additionally, the exposed instance spilled over 34 million online order entries, revealing purchase data.

ADVERTISEMENT

Worryingly, despite the team’s attempts to contact the company, the exposed instance was not closed, meaning the data is leaking to this day. We have also reached out to the company for official comment and will update the article once we receive a response.

“Information Sydney Tools is leaking. This can aid cybercriminals in the surprisingly common crime of tool theft, as well as more standard cybercrimes such as identity theft, phishing, or spam campaigns,” our researchers said.

Ernestas Naprys Paulina Okunyte Gintaras Radauskas jurgita
Get our latest stories today on Google News
Google News Follow us

What data did Sydney Tools leak?

According to the team, the exposed database revealed large amounts of information about Sydney Tools’ employees. The exposed data includes:

  • Names and surnames
  • Branches of employment
  • Salaries
  • Sales targets

Interestingly, while Sydney Tools reports that it employs around 1,000 staff, the database indicated nearly 5,000 employees. The team surmised that this likely indicates past employees have also been exposed via the leaky database.

Sydney Tools data sample
Sample of the leaked data. Image by Cybernews.
ADVERTISEMENT

Our team believes the exposed employee details endanger impacted individuals as malicious actors can use leaked information to craft spear phishing attacks. Moreover, attackers may set their sights on high earners to maximize their impact.

The company’s customers weren’t spared by the incident either – over 34 million online purchase records were discovered in the exposed database, revealing personal and sensitive user details, such as:

  • Names
  • Email addresses
  • Home addresses
  • Phone numbers
  • Ordered items

“The leaked data is sensitive as it included extensive personally identifiable information in large volumes, as well as sensitive information regarding which customers purchased expensive items, and the salaries of their employees,” researchers said.

Attackers could utilize leaked details for highly targeted attacks. For example, cybercrooks can flood customers with fraudulent emails and messages, referencing specific tools that users purchased, and convincing victims to reveal more data about themselves.

  • Leak discovered: February 4th, 2025
  • Initial disclosure: February 6th, 2025
  • Australian Signals Directorate contacted: February 13th, 2025
Share
Post
Share
Share
Share
More from Cybernews
This week in AI: OpenAI’s o3, Anthropic’s agentic Research, and a few updates from Chinese vendors
Critical security flaw affects Asus AiCloud routers, urgent update required
Roblox allegedly made over $120K ripping off viral Charlie XCX “Apple Dance” creator
Critics call Florida bill aiming to protect minors a threat to encryption
Ethereum phishing scam victims warned in Operation Avalanche
“Vote for me” scam turns into chain reaction of stolen Facebook, X accounts
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked