Instructors at a cyber security course reported the finding of another massive database exposing millions of records on the public Internet. This is an Amazon Web Services (AWS) implementation that was available to anyone who knows how to use a search engine to find this kind of information.
The database contains eight million records collected through online stores and APIs from payment systems from firms such as Amazon, eBay, Shopify and PayPal. The report was corroborated by Bob Diachenko, a specialist in the search for databases exposed on the Internet.
According to the specialists of the cyber security course, among the exposed records they could found personal data such as:
- Full names
- Shipping addresses
- Purchase searches and history
- Phone numbers
- Incomplete payment card data
In addition, the experts reported the leak of some user access tokens; because a single person can generate multiple records, it is difficult to estimate the total number of users affected during this incident. What researchers were actually able to determine is the source of this data, mentioning that more than half of the records belong to users in the UK.
All indications are that the incident was related to an unidentified third-party company that performed an analysis of these details. This is a serious point, as mentioned by the cyber security course members, as users were most likely unaware that their confidential details were shared with a third party. Amazon was notified shortly after, so access to the compromised database has already been shut down.
Although the company claims that there is no evidence of unauthorized access to this information, the International Institute of Cyber Security (IICS) notes that there is no way to verify this claim, so companies will need to monitor the forums for most well-known hacking to verify that the compromised information does not appear on these platforms. Finally, this is just a new warning for companies that turn to online storage, which on multiple occasions implement poor security controls that lead to the exposure of private information.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.