Vevor retailer was seen exposing sensitive databases publicly

December 15, 2022
Vevor US Online Retail Customer Info Data Leak ECommerce Misconfigured Database Fraud Prevention

Retail giant Vevor was recently involved in a data exposure issue, wherein researchers found that the company left a massive database holding sensitive user information exposed publicly for almost five months.

Vevor is a California-based retailer that operates over 40 warehouses in the US, the UK, Australia, Canada, and Germany, among other regions it caters to. The retail company ships millions of products to corporations worldwide, boasting over ten million customers.

 

Most of the data involved in the Vevor leak included sensitive user information.

 

Investigations into the incident revealed that the leaked database included sensitive user data and PIIs, such as full names, residential addresses, email addresses, contact details, order details, payment details and logs, and other order tracking information.

Furthermore, the analysts found that the exposed database was out in the open since July 12, 2022, and has been publicly available for almost five months. Upon learning of the situation, the company removed the exposed database by the first week of December.

The retail giant has not commented more about the user database leak issue despite security researchers reaching out to acquire more information. Since the exposed database has already been removed from public access, it could be presumed that the data were now safe, not unless malicious actors have already obtained them from the past months that it was out.

Security analysts believe this data leak incident could entail consequences for the company, especially for the users’ safety from potential cyberattacks. Suppose threat actors have already obtained the exposed database; the data in it could be used for malicious campaigns, such as phishing, identity theft, or fraud. In these potential attacks, users’ finances could be targeted.

Organisations should also be aware of the costs of misconfigured databases, as it can open doors for threat actors to access critical details. These risks are often associated with databases that operators have improperly configured.

Key ports left out open on a server or failure to update software with the latest patches could give hackers a chance to gain unauthorised access and steal sensitive data, including usernames and passwords.

About the author

Leave a Reply