Millions of shoppers exposed ahead of the Black Friday

Published: 7 October 2025
Last updated: 13 October 2025
Vtex data leak
Image by Cybernews

Global e-commerce giant VTEX has leaked the data of six million people, exposing everything from their home addresses to their purchases.

Over half a year ago, the Cybernews research team discovered a sensitive data leak in which the data of six million shoppers was handed to threat actors on a silver platter. Despite multiple attempts to contact the data owner, the sensitive information remained open to anyone.

Therefore, in addition to contacting the Brazilian CERT to help us secure the shoppers’ data, we’ve decided to post our findings to help customers stay vigilant ahead of the seasonal shopping madness that’s about to kick off.

ADVERTISEMENT

Global e-commerce player leaks data: key facts

On February 28th, 2025, Cybernews researchers discovered a massive chunk of users’ data had been uploaded to the open Internet. The data was linked to VTEX, a global e-commerce platform.

According to its website, it powers 3,500 online stores and is used by major brands such as Samsung, Nestle, Mazda, Coca-Cola, Walmart, and Sony.

The data leak originated from an unauthenticated container. This is a common misconfiguration caused by human error that leaves the cloud storage environment without a password. It makes private data potentially visible to search engines and accessible to anyone online.

The open storage contained files in Parquet format, a columnar data storage format used to organize and store large datasets that often are part of the company’s analytics or customer data pipeline.

The leaked files exposed private data records of over six million customers using VTEX-provided e-commerce solutions. The exposed dataset leaked information about consumer behavior, listing individual purchase histories, delivery addresses, and contact details.

VTEX data leak
Screenshot of the leaked file

What data was leaked?

ADVERTISEMENT

The leaked data is comprehensive and sensitive, and includes:

  • Email addresses
  • Residential addresses
  • Phone numbers
  • Order details and purchase histories

The company’s response

The Cybernews newsroom has contacted VTEX for additional comments. However, similar to our researchers’ attempts to draw the company’s attention to the matter, our journalists’ emails remained unanswered. Only after this article was published did the company secure the access.

In the issued statement, VTEX stated that the data was not leaked from a VTEX system.

“The information referenced in the article was specific to one VTEX customer that operates multiple brands. It was leaked from this customer's internal system,” the statement read.

VTEX said to have engaged the customer, who confirmed the leak in their internal system and has since "implemented corrective measures."

Massive data leak puts clients at risk

The scale of the data leak is threatening. VTEX is a global e-commerce solution provider founded in Brazil with clients across 38 countries. The company is behind thousands of online stores, and any data leaks could potentially have a global impact.

Cybernews researchers warn that attackers could exploit the leaked data to craft convincing phishing attacks, mimicking trusted retailers.

If the client who recently purchased anything on a VTEX-powered e-commerce site gets SMS or email claiming “order confirmation” or “delivery issue,” they are much more likely to fall for the scam and hand out their card or login details.

ADVERTISEMENT

People’s order histories reveal routines, health or lifestyle choices, and point to high-value targets for fraud. Even worse, the dataset includes home addresses and phone numbers, which could lead to doxxing attacks, stalking, or harassment.

How to stay safe during the shopping season

Shoppers are advised to think twice before clicking on any links in emails, especially from unknown sources or social media ad campaigns. If the source seems familiar, always carefully check the sender’s email address, as threat actors might be impersonating well-known brands.

Too-good-to-be-true kinds of deals are likely actually to be too good to be true. It is important to always double-check on the official brands' sites or communication channels for information instead of following the sketchy links through.While communicating with vendors, always stay on the vendor platform. Ignore unsolicited texts claiming to be from vendors, and never share payment details or sensitive credentials via email.

Also, it is advisable to use virtual credit cards to protect your real card information. Using such disposable cards limits exposure to fraud for a single purchase and guards against breaches on retail sites.

You are also likely to get bombarded with messages and emails saying there’s something wrong with your parcel or that you need to pay a small fee before delivery and pickup.

First, calm down and remember whether you ordered anything at all. Even if you did, the urgency of such texts is a clear sign of a potential scam, so it’s better that you contact the seller and the shipping company directly.

Disclosure timeline

Leak discovered: February 28th, 2025
Initial disclosure: August 11th, 2025
Brasil’s CERT contacted: September 15th, 2025
Leak closed: October 8th, 2025

Updated on October 8th 14:15 GMT with the information about the closure of the leak.
Updated on October 10th 8:45 GMT with VTEX's statement.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked