Retail giant Vevor leaked user location and payment data for almost five months


An online retailer specializing in tools and equipment for DIYers and professionals left a database with sensitive user information, including payment details, open to the public.

Vevor is a retail giant with 40+ warehouses in the US, Canada, the UK, Australia, and Germany, among other countries. It ships over one million products to professionals and DIYers worldwide, claiming it “has satisfied” over 10 million customers in over 200 countries.

Recently, the Cybernews research team was informed that Vevor left a multi-terabyte database exposed. Upon close inspection of the instance, we discovered that the company was leaking sensitive user data: full names, physical addresses, email addresses, phone numbers, order details, partial payment details, payment logs, and other tracking information.

Our investigation revealed that the database was first exposed on July 12, 2022, and leaked sensitive information for nearly five months. Vevor removed the database from public access in the first week of December after being repeatedly contacted by the Cybernews research team with the request to protect user data as soon as possible.

Vevor webpage
Screenshot by Cybernews

Cybernews has reached out to the company to learn more about the breach but received no response prior to publication. The database is now closed, and user data remains safe. That is, of course, under the condition that threat actors haven’t already retrieved the disclosed information.

“The leak could have financially damaging consequences. The data leaked is enough to create targeted phishing/vishing campaigns from your shipping courier, as all the information is available to the threat actor. If more leaks containing specific customer data exist, it is just another piece of the puzzle until all the private information is leaked and allows for online identity theft, causing financial damages, irreversible credit scores, and hours or days, or months wasted trying to get it fixed,” Cybernews research team said.

Vevor data leak

After reviewing the data samples, our researchers noticed that every Paypal authorization and capture process is logged into the same database. Paypal creates encrypted tokens for their transactions, which include payment tokens, payer IDs, transaction IDs (post payment), and so on.

“Changing values before payment is captured could reroute money flow to different PayPal accounts but still be marked as a successful transaction for the Vevor order system, causing a double loss for the company as it would be giving equipment away for free,” researchers warned.

Cybernews investigation points to the fact that Vevor has experienced a misconfiguration error on different servers at least 30 times, exposing sensitive information to the public.


More from Cybernews:

Android app with over 5m downloads leaked user browsing history

$400k salon cyber fraud charges bad hair day for suspect

One year on: Log4Shell’s Armageddon that never was

Google told to remove "manifestly inaccurate" search results about users

iPhone tops Google list of insurance searches as theft fears loom

Subscribe to our newsletter



Comments

Tan
prefix 5 months ago
Dear Jurgita,

Hope this email find you well.

Recently we noticed the article named “Retail giant Vevor leaked user location and payment data for almost five months” was updated on November 15, 2023 via Cybernews.com. You mentioned in the article that we have not responded to your demand for update of the status after last communication on this matter last year. We found that our late reply is due to the fact that we mistreated your last email as scam and we apologize for that.

We highly appreciate your long-term attention to Vevor as well as the efforts youyou’re your team contributed toward the cyber security. In this case, please allow us to update you the status since our last communication.

1.The open database has been completely closed with security measures taken for protection of data breach. All the user data is 100% safe.
2.We have not received any reports or complaints from any of our customer who might have suffered financial loss due to compromise of his/her personal data by threat actors and we may assume based on this that no personal data has been compromised during the time of database exposure.

Our legal team, as well as Vevor Customer Service will pay continual attention to this issue and will take necessary actions as long as any customers’ personal data might be compromised.

Again, we sincerely highly appreciate your attention and keep you posted for further development.

Best regards,
Vevor team
Leave a Reply

Your email address will not be published. Required fields are markedmarked