Data Breach Gives Threat Actors Complete Information about Vevor Clients
Online Retailer Leaves Sensitive User Information Exposed for Months.
A multi-terabyte database belonging to Vevor was left open to the public this year starting July 12th until December. Threat actors had almost five months to feast on the data spillage undisturbed.
Retail giant Vevor owns over 40 warehouses in the US, UK, Canada, Australia, Germany, and other countries and has more than 10 million customers all over the world. Although they have been warned by cybersecurity researchers of the data breach, they only managed to close the database for public access during this month`s first week.
What Did the Data Spillage Reveal?
According to researchers, the data breach exposed sensitive contact information such as full names, physical addresses, emails, and phone numbers. But even more disturbing, the database also contained order details, partial payment details, and payment logs belonging to customers.
Right now, the database is closed, but that doesn`t mean the users` data is safe since cybercriminals had almost 5 months’ time to stumble upon it and exploit it.
Do Customers Whose Data Were Exposed Risk Being Victims of Cyber Attacks?
If threat actors got the data, they now have enough information for launching targeted phishing or vishing campaigns. If there is also another data leakage going on, online identity theft is also possible.
The investigation revealed that Vevor had a misconfiguration error on different servers that went on at least 30 times while exposing the customers` data to anyone aware of the leakage.
After checking the data samples, researchers saw that each PayPal authorization and capture process was logged into the same database.
Changing values before payment is captured could reroute money flow to different PayPal accounts but still be marked as a successful transaction for the Vevor order system, causing a double loss for the company as it would be giving equipment away for free
The payment platform generates encrypted tokens for their transactions, with payment tokens, payer IDs, and transaction IDs included.