If you recently made a purchase from a foreign online store that sells counterfeit clothing and goods, chances are your credit card number and personal information has been exposed.
Since January 6, a database containing hundreds of thousands of unencrypted credit card numbers and corresponding cardholder information has spilled onto the open Internet. When it went offline on Tuesday, the database held about 330,000 credit card numbers, cardholder names and full billing addresses – and was increasing in real time as customers placed new orders. The data contained all the information a criminal would need to make fraudulent transactions and purchases using a cardholder’s information.
The credit card numbers belong to customers who made purchases through a network of nearly identical online stores claiming to sell designer goods and clothing. But the stores shared the same security problem: every time a customer made a purchase, their credit card details and billing information were stored in a database that was exposed to the internet without a password. Anyone who knew the database’s IP address could access vast amounts of unencrypted financial data.
Anurag Sen, a bona fide security researcher, found the disclosed credit card records and asked TechCrunch for help reporting it to the owner. Sen has a respectable track record of scanning the internet for exposed servers and accidentally published data, and reporting to companies to secure their systems.
But in this case, Sen wasn’t the first person to discover the buried data. According to a ransom note left on the exposed database, someone else had found the spill data, and instead of attempting to identify the owner and responsibly report the spill, the unnamed individual instead claimed to have taken a copy of the entire contents of the database have credit card details and would return them for a small sum of cryptocurrency.
A TechCrunch review of the data shows that most credit card numbers are held by cardholders in the United States. Several people we contacted confirmed that their disclosed credit card details were correct.
TechCrunch has identified several online stores whose customer information was exposed through the leaked database. Many of the shops claim to operate out of Hong Kong. Some of the stores are designed to sound similar to big brands like Sprayground, but their websites have no discernible contact information, typos and misspellings, and a conspicuous lack of customer reviews. Internet records also show which websites have been set up over the past few weeks.
Some of these websites include:
-
spraygroundusa.com
-
ihuahebuy.com
-
igoodlinks.com
-
ibuysbuy.com
-
lichengshop.com
-
hzoushop.com
-
goldlyshop.com
-
haohangshop.com
-
twinklebubble.store
-
spendidbuy.com
If you’ve bought something on one of these websites in the past few weeks, you should consider your bank card compromised and contact your bank or card provider.
It is not clear who is responsible for this network of fake shops. TechCrunch contacted an individual via WhatsApp whose Singapore-registered phone number was listed as a point of contact on several online stores. It’s not clear if the contact number provided is even related to the stores, as one of the websites lists a Chick-fil-A restaurant in Houston, Texas as the location.
Internet records showed that the database was operated by a Tencent customer whose cloud services were used to host the database. TechCrunch contacted Tencent about sharing credit card information from its customer’s database, and the company responded quickly. The customer’s database went offline a short time later.
“When we found out about the incident, we immediately contacted the customer running the database and it was shut down immediately. Privacy and security are top priorities at Tencent. We will continue to work with our customers to ensure they are maintaining their databases in a secure manner,” said Carrie Fan, Tencent’s Global Communications Director.