Data of Millions of eBay and Amazon Shoppers Exposed (sophos.com) 39
An anonymous reader quotes the "Naked Security" blog of anti-virus company Sophos:
Researchers have discovered another big database containing millions of European customer records left unsecured on Amazon Web Services (AWS) for anyone to find using a search engine. A total of eight million records were involved, collected via marketplace and payment system APIs belonging to companies including Amazon, eBay, Shopify, PayPal, and Stripe.
Discovered by Comparitech's noted breach hunter Bob Diachenko, the AWS instance containing the MongoDB database became visible on 3 February, where it remained indexable by search engines for five days. Data in the records included names, shipping addresses, email addresses, phone numbers, items purchased, payments, order IDs, links to Stripe and Shopify invoices, and partially redacted credit cards...
A total of eight million records were involved, collected via marketplace and payment system APIs belonging to companies including Amazon, eBay, Shopify, PayPal, and Stripe.
The article calls it "simply the latest example of how easy it is to leave sensitive data sitting in an unsecured state on cloud storage platforms." They cite two more high-profile databases that Comparitech found exposed on Elasticsearch just in 2020:
Discovered by Comparitech's noted breach hunter Bob Diachenko, the AWS instance containing the MongoDB database became visible on 3 February, where it remained indexable by search engines for five days. Data in the records included names, shipping addresses, email addresses, phone numbers, items purchased, payments, order IDs, links to Stripe and Shopify invoices, and partially redacted credit cards...
A total of eight million records were involved, collected via marketplace and payment system APIs belonging to companies including Amazon, eBay, Shopify, PayPal, and Stripe.
The article calls it "simply the latest example of how easy it is to leave sensitive data sitting in an unsecured state on cloud storage platforms." They cite two more high-profile databases that Comparitech found exposed on Elasticsearch just in 2020:
- A database containing 309 million Facebook user IDs, phone numbers and names
- A total of 250 million Microsoft customer support records dating back to 2005
Hilarious (Score:3)
I'm trying not to laugh, but let's just admit that no one really follows the core concepts involved in keeping data secure.
Let's also just admit that sooner or later, your data will be stolen or compromised.
Re:Hilarious (Score:5, Insightful)
IMO the simple fact of the matter is that todays systems are too complex. Sooner or later someone makes a mistake and more often than not it's because the person didn't grasp the fullspiderweb of dependencies and how his action would affect each one of them.
That and nobody wants to pay for security.
Re:Hilarious (Score:4, Interesting)
That and nobody wants to pay for security.
That's the primary driving force. We got plenty of small business customers who insist we port-forward access to their DVR system from any external IP so they can watch their cameras on their iPhones. No amount of begging for a VPN in front, or begging to isolate the DVR from the line-of-business systems will suffice. Doesn't matter if we explain the DVR system isn't getting patches and will be owned sooner or later and used to access the LAN. Nope. Routers and switches that allow us to secure things have costs that are fact, and exploits are fiction.
Note: most of our customers are reasonable, and we're able to put reasonable best-practices in place. It's just the smaller ones who have trouble accepting there's a difference between a $50 DLink router from BestBuy and a $300 one that's got decent enterprise-class features.
OpenWRT (Score:3)
It's just the smaller ones who have trouble accepting there's a difference between a $50 DLink router from BestBuy and a $300 one that's got decent enterprise-class features.
Though any /. geek nows that, right after unboxing the $50 DLink, the best thing to do is to wipe its firmware and flash OpenWRT on it
(which among other DOES feature VPN capabilities to solve the "watch the camera from iPhone" problem).
The problem is that, while the /. geek knows it, the smaller customers will not do it.
Re: (Score:2)
I did not know that I could do that, and I think of myself rather good with doing things to stay safe... time to tell a few buddies of mine to update
Re: (Score:2)
Fortunately I was always in a position where I could say "No" when they told me to do stupid things. My employer refused to let the security system become the customer's biggest security flaw so we were able to do it right. What the customer and their IT staff did afterward was not our fault.
Re: (Score:3)
IMO the simple fact of the matter is that todays systems are too complex.
These problems aren't complex at at. Just check whether your data is world-readable by trying to read it. This take 5 minutes, tops. These aren't sopisticated hacks requiring complex defense techniques that takes years to learn. This is not even bothering to check wether your door is open. FFS.
OK, if you want to be a top-dollar, super-high-skilled IT defense guy in the modern age, take 15 minutes to makes a script that tries to read your data every few minutes. When you catch the moron who changes som
Re:Hilarious (Score:4, Informative)
This is a whole lot more than a mistake, you have to make the effort to make an S3 bucket publicly accessible. The person who did that had to be aware that this was an incredibly stupid thing to do, did it anyway, and then LEFT IT that way. No step of that is a "mistake".
Re: (Score:1)
Probably started as a debug session on the dev server, which then became the production server... The usual high standard of work in the secure web development arena.
I wish they had published the name of the company. How am I supposed to hit them up with GDPR requests to see if I was affected if I don't know the name?
Might start with eBay and Amazon, request a list of every company they have ever shared any of my data with.
Re: Hilarious (Score:2)
But that is just it. If someone is checking the work, even if someone makes a mistake it gets caught by someone else.
Re: (Score:1)
Sorry, but your data has been stolen or compromised.
Re: (Score:1)
Re: (Score:3)
If high tech companies are so proud of their technical prowess,
then there should be a penalty that is higher then the cost of doing it right.
This seems like the only way to get their attention.
I'd like to suggest penalties similar to the existing copyright violations:
Service pays the actual dollar amount of damages and profits.
Any arbitration agreements of the service are terminated.
The law provides a range from $200 to $150,000 for each person impacted.
Service pays for all attorneys fees and court costs.
The service board of directors can go to jail.
Re: Hilarious (Score:2)
All they really need to do is lose 5% of their shares to the govt every time it happens. I am talking about actual shares, not dollar value. Permanently removed from circulation. And the shares come from the largest shareholders and work their way down the ladder.
This shit would get solved quick.
Re: (Score:1)
Under GDPR this kind of data breach can have fines of up to 4% global turnover. When we're talking Amazon and eBay, that's a serious amount of drinking vouchers.
Re: (Score:2)
There are reasons that customers legitimately have for making S3 buckets publicly available. This one was particularly stupid, but that's not AWS's fault.
Re: (Score:2)
There are reasons that customers legitimately have for making S3 buckets publicly available. This one was particularly stupid, but that's not AWS's fault.
True but Amazon is also listed as one of the companies that lost data, so it seems that they were one of the companies not using AWS securely.
Re: (Score:2)
And as long as the fines for actions like this are low enough this won't change. Fines low enough are just part of the cost of operation.
Re: (Score:1)
If it was a US only thing, maybe. This is a European thing.
Old man yells at cloud (Score:2)
Re: (Score:2)
In German "cloud" is a homonym to "klaut", which means "he/she/it steals".
Do they know something we don't?
Passwordless again (Score:4, Insightful)
Yet another "mongodb with no password" exposed again.
When is Mongo going to accept people are just idiots, and you need to force them to use a password?
Why do they even think "Access control disabled by default" is a good default?
Re: (Score:3)
Also in German, "Mongo" is a very bad word, used as a title for someone who is really, really, REALLY stupid.
Seriously, do the Germans know something we don't?
Re: (Score:2)
Funny. In spanish too. It's difficult to pitch Mongo to execs since they think you're joking, with that name.
Re: (Score:2)
It has a bad connotation in English too. I'm not sure why they named it that. Maybe as in, even a mongo could use it. I think only mongos use it.
Re: (Score:3)
Yet another "mongodb with no password" exposed again.
When is Mongo going to accept people are just idiots, and you need to force them to use a password?
Why do they even think "Access control disabled by default" is a good default?
i don't think that's mongodb's fault. this wasn't average joe setting up a blog, but a tech company making 'value added' business on third party private and financial data, millions of records of it and for high volume sellers. you'd expect they'd have a minimal clue about information security and follow proper protocols, and you'd expect those high profile sellers would have made sure of that. imo amazon, paypal and ebay et al should all be held liable for handing off such sensible data to such dbags in th
Mongo just pawn in game of life (Score:4, Funny)
Mongo no need password.
Mongo fight hackers with fists.
2FA already shows us a solution (Score:2)
With 2FA (real 2FA, like Authy [authy.com]), the only thing shared between you and the third party is a certificate. That certificate is used to generate a one-time code which changes every 30 seconds. Since both sides have
Re: 2FA already shows us a solution (Score:2)
Re: (Score:2)
This has nothing to do with Amazon being broken into. The breach was into a DB for a third party app commonly used by marketplace sellers to organize their inventory. Amazon's only connection to this is (1) that the db was hosted on AWS and (2) that some of these sellers sold on Amazon (as well as eBay and so on).
"The vendor’s app pulled sales records from marketplace and payment system APIs like that of Amazon UK, Ebay, Shopify, PayPal, and Stripe"
It might not be Amazon's fault but Amazon may be liable. If they share my personal data with a third-party so that my order can be fulfilled (e.g. on marketplace), it's their responsibility that the data is handled securely. "Sorry, we gave it to a third party, and they lost it" is not a defence.
Re: (Score:2)
Note likely. What happens is the third party seller contracts a company for online selling services - basically you have a product to sell, you use their service and it maintains invesntory on eBay, Amazon, Shopify
Re: (Score:2)
likely because they responded within an hour taking the db down and the researchers valued that response. if they're a small startup no public pressure is really needed, they will get bust anyway, likely sued and/or fried by their powerful clients.
again this is another warning call for those big shots. they are ultimately responsible for keeping their customers' data safe, so they are the worst offenders here as far as the public is concerned, not the middle men which the customers don't know squat about no
Re: (Score:2)
again this is another warning call for those big shots. they are ultimately responsible for keeping their customers' data safe, so they are the worst offenders here as far as the public is concerned, not the middle men which the customers don't know squat about nor should.
I don't think the issue here is the big shot (Amazon, eBay, ...) but the marketplace sellers that used the third party as a CRM. It's especially problematic for a marketplace like eBay because the shipping is managed by the seller and not the marketplace, so the seller has to receive the full details of the buyer.
MongoD/AWS S3 Every Time there is a security issue (Score:1)
Every time there is a large breach it feels like its always MongoDB or AWS S3 that is the cause of it.
Why do we as engineers allow this terrible tech that is known to be broken and insecure on our production networks? We know there are better dB's, We know how to lock down an AWS S3 bucket. So why isn't security happening?
Why can't AWS secure its basic systems? Or was this yet another Bootcamp developer that got hired over somebody who knew wtf they were doing simply because they were cheaper because they