If you recently made a purchase from an overseas online store selling counterfeit clothing and items, your credit card number and personal information may have been exposed.
Since January 6, a database containing hundreds of thousands of unencrypted credit card numbers and corresponding cardholder information has been spreading across the open web. By the time it was taken offline on Tuesday, the database contained around 330,000 credit card numbers, cardholder names and full billing addresses – and growing in real time as customers placed new orders. . The data contained all the information a criminal would need to make fraudulent transactions and purchases using a cardholder’s information.
The credit card numbers belong to customers who have made purchases through a network of nearly identical online stores claiming to sell designer items and clothing. But the stores had the same security problem in common: every time a customer made a purchase, their credit card and billing information was saved in a database, which remained exposed to the Internet without a password. pass. Anyone who knew the database’s IP address could access tons of unencrypted financial data.
Anurag Sen, a bona fide security researcher, found the exposed credit card records and asked TechCrunch for help in reporting it to its owner. Sen has a respectable track record scanning the internet for exposed servers and inadvertently released data, and reporting to companies to secure their systems.
But in this case, Sen was not the first person to discover the leaked data. According to a ransom note left on the exposed database, someone else had found the dumped data and instead of trying to identify the owner and report the dump responsibly, the anonymous person instead claimed to have taken a copy of the entire contents of the database. credit card data and return it in exchange for a small amount of cryptocurrency.
A review of data by TechCrunch shows that most credit card numbers belong to cardholders in the United States. Several people we contacted confirmed that their exposed credit card details were correct.
TechCrunch identified several online stores whose customer information was exposed by the leaked database. Many stores claim to operate from Hong Kong. Some stores are designed to look like big brands, like Sprayground, but whose websites have no discernible contact information, typos and spelling mistakes, and a distinct lack of customer reviews. Internet records also show that the websites were created within the last few weeks.
Some of these websites include:
If you’ve purchased something from one of these sites in the last few weeks, you may want to consider your credit card compromised and contact your bank or card provider.
It is unclear who is responsible for this network of counterfeit stores. TechCrunch contacted a person via WhatsApp whose registered Singapore phone number was listed as a point of contact on several of the online stores. It’s unclear if the contact number listed is even involved with the stores, given that one of the websites listed its location as a Chick-fil-A restaurant in Houston, Texas.
Internet records showed the database was operated by a Tencent customer, whose cloud services were used to host the database. TechCrunch contacted Tencent about leaking credit card information from its customer database, and the company responded quickly. The client database went offline soon after.
“When we learned of the incident, we immediately contacted the customer who operates the database and it was shut down immediately. Privacy and data security are top priorities at Tencent. We will continue to work with our customers to ensure they maintain their databases in a safe and secure manner,” said Carrie Fan, Director of Global Communications at Tencent.