A network of knockoff apparel stores exposed 330,000 customer credit cards
If you recently made a purchase from an overseas online store selling knockoff clothes and goods, there's a chance your credit card number and personal information were exposed.
Since January 6, a database containing hundreds of thousands of unencrypted credit card numbers and corresponding cardholders' information was spilling onto the open web. At the time it was pulled offline on Tuesday, the database had about 330,000 credit card numbers, cardholder names, and full billing addresses -- and rising in real-time as customers placed new orders. The data contained all the information that a criminal would need to make fraudulent transactions and purchases using a cardholder's information.
The credit card numbers belong to customers who made purchases through a network of near-identical online stores claiming to sell designer goods and apparel. But the stores had the same security problem in common: any time a customer made a purchase, their credit card data and billing information was saved in a database, which was left exposed to the internet without a password. Anyone who knew the IP address of the database could access reams of unencrypted financial data.
Anurag Sen, a good-faith security researcher, found the exposed credit card records and asked TechCrunch for help in reporting it to its owner. Sen has a respectable track record of scanning the internet looking for exposed servers and inadvertently published data, and reporting it to companies to get their systems secured.
But in this case, Sen wasn't the first person to discover the spilling data. According to a ransom note left behind on the exposed database, someone else had found the spilling data and, instead of trying to identify the owner and responsibly reporting the spill, the unnamed person instead claimed to have taken a copy of the entire database's contents of credit card data and would return it in exchange for a small sum of cryptocurrency.
A review of the data by TechCrunch shows most of the credit card numbers are owned by cardholders in the United States. Several people we contacted confirmed that their exposed credit card data was accurate.
TechCrunch has identified several online stores whose customers' information was exposed by the leaky database. Many of the stores claim to operate out of Hong Kong. Some of the stores are designed to sound similar to big-name brands, like Sprayground, but whose websites have no discernible contact information, typos and spelling mistakes, and a conspicuous lack of customer reviews. Internet records also show the websites were set up in the past few weeks.
Some of these websites include:
If you bought something from one of those sites in the past few weeks, you might want to consider your banking card compromised and contact your bank or card provider.
It's not clear who is responsible for this network of knockoff stores. TechCrunch contacted a person via WhatsApp whose Singapore-registered phone number was listed as the point of contact on several of the online stores. It's not clear if the contact number listed is even involved with the stores, given one of the websites listed its location as a Chick-fil-A restaurant in Houston, Texas.
Internet records showed that the database was operated by a customer of Tencent, whose cloud services were used to host the database. TechCrunch contacted Tencent about its customer's database leaking credit card information, and the company responded quickly. The customer's database went offline a short time later.
"When we learned of the incident, we immediately contacted the customer who operates the database and it was shut down immediately. Data privacy and security are top priorities at Tencent. We will continue to work with our customers to ensure they maintain their databases in a safe and secure manner," said Carrie Fan, global communications director at Tencent.
New York payments startup exposed millions of credit cards
MoviePass exposed thousands of unencrypted customer card numbers
Hackers stole passwords for accessing 140,000 payment terminals