WhitehatGuru
Date: 17th June 2021
Severity: High
Nearly half a million of cosmetics customers on Amazon Web Services were in for a shock when a misconfigured cloud storage account exposed their personal data to the hackers. The leak of Amazon’s S3 bucket to popular Turkish beauty products firm, Cosmolog Kozmetik was traced by a research team at reviews site, WizCase.
The 20 GB leak contained approximately 95000 files, which included thousands of Excel files containing personal information of 5,67,000 unique users who bought products across multiple e-commerce platforms. As per the report, the data had no mention of payment information and only had the customers’ full names, addresses and purchase details and phone numbers and email IDs of few customers.
Since the oldest orders dated to 2019, it is quite clear that the database was updated on a consistent basis. WizCase issued a warning that if the attackers managed to find and copy the leaked data, the shoppers would be at risk of phishing and fraud or perhaps refund scams that loom large in such scenarios. This is one of the innovative ways of trapping customers. The only seeming way to stop such attacks is to provide as less information as the customers can on such platforms and mitigate risks.
Source: WizCase