Attackers could cash out your gift card after popular platform left them passwordless

Published: 7 January 2026
Last updated: 14 January 2026
gift card cash out
Image by Cybernews

A secondhand electronics marketplace has accidentally streamed its users’ login codes and gift card credits to the open internet.

An online marketplace for secondhand electronics, Cartlow.com, accidentally leaked its customers' data online.

Cartlow.com, with an estimated three million users, exposed sensitive customer data through an open, unauthenticated Apache Kafka broker. Kafka is commonly used to stream messages between internal systems, but when misconfigured, it can act like a live feed of a company’s internal operations.

ADVERTISEMENT

On September 30th, Cybernews researchers discovered that the broker associated with Cartlow was actively streaming internal messages tied to user activity, including two-factor authentication (2FA) codes, email and SMS notifications, and links used to redeem digital gift cards.

Any potential attacker could exploit the data to intercept gift card redemption links, take over accounts, and cash out credits before legitimate users ever had a chance to log in.

Cartlow data leak
Email notifications. Source: Cybernews

US and European customers could also be affected

Cartlow is based in the United Arab Emirates, but its reach is global. The company is operated by Cartlow DMCC, which was acquired in 2025 by Basatne, a privately held group with operations spanning the US, UAE, Canada, and Saudi Arabia.

Both companies position themselves as players in the “circular economy,” focused on extending the lifecycle of consumer electronics.

The platform operates differently depending on the region. In the UAE, Cartlow allows users to buy and sell used electronics directly. Internationally, the offering is more limited, focusing primarily on digital gift cards for services such as Steam, Google Play, PlayStation Network, and Binance.

The company’s mobile apps are estimated to have been downloaded more than 900,000 times on iOS and over two million times on Android. Cartlow has reportedly raised around $20 million over the past five years.

ADVERTISEMENT

Third-party estimates suggest that only about half of Cartlow’s users are based in the UAE, meaning customers in the US and European Union may also have been affected.

Cartlow data leak
Seller activity logs. Source: Cybernews

What data was exposed?

The exposed Kafka stream included both email and SMS notifications sent to Cartlow users. Among them were one-time passcodes (OTPs) used for login verification.

These codes, if intercepted, could enable direct account takeovers. More troubling still were confidential links used to redeem in-store credits for gift cards, opening the door to immediate financial abuse.

Researchers say attackers could have redeemed gift cards the moment they were issued, then used those credits to buy other gift cards sold on the platform. In some cases, that could include cryptocurrency gift cards, such as Binance USDT, making the stolen value easier to move and harder to trace.

The exposed stream also leaked personally identifiable information, including names, phone numbers, email addresses, IP addresses, device details, and user tokens hashed using MD5. While hashed, those tokens still represent sensitive session-related data that should never be publicly accessible.

Cartlow data leak
SMS OTP codes sent to customers. Source: Cybernews

Researchers say the real-time nature of the leak exacerbated the risk. Since internal messages were exposed as they were generated, attackers could theoretically access login codes and redemption links before users themselves, dramatically increasing the success rate of account takeovers and credit theft.

The Cybernews research team highlights the importance of securing the instance.

ADVERTISEMENT

"The company should enable Kafka’s built-in authentication, restrict access through IP whitelisting, and ensure that no system responsible for transmitting credentials or monetary assets is exposed to the public internet," they said.

Cybernews researchers contacted the company to disclose the data leak. However, the company has not responded to the research team or further inquiries from our journalists. After this article was published, the company has secured the data.

Cartlow data leak
User activity logs. Source: Cybernews

Disclosure timeline

Leak discovered: September 30th, 2025
Initial disclosure: October 3rd, 2025
CERT contacted: October 10th, 2025
Leak closed: January 12th, 2026

Updated on January 14th [02:40 p.m. GMT] to note that access to the data has been secured.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked