New day, new leak.
A US online pet store has exposed the details of more than 110,400 credit cards used to make purchases through its website, researchers have found.
In a stunning show of poor security, the Austin, TX-based company FuturePets.com exposed its entire customer database, including names, postal and email addresses, phone numbers, credit card information, and plain-text passwords.
Several customers that we reached out to confirmed some of their information when it was provided by ZDNet, but did not want to be named.
The database was exposed because of the company’s own insecure server and use of “rsync,” a common protocol used for synchronizing copies of files between two different computers, which wasn’t protected with a username or password.
Researchers at the Kromtech Security Research Center found the database in November. But after numerous efforts to contact the company by phone and email, the database was only secured this week.
It’s not clear who’s to blame for the breach. The pet store is understood to have been developed by DataWeb Inc., which has built dozens of other similar pet-related sites and owns PegasusCart, an e-commerce platform, used on all of DataWeb’s sites.
Kromtech researcher Bob Diachenko found that the leaked data wasn’t limited to just FuturePets.com, but also appeared to contain several folders, including one that shows several backup files and databases of transactions within the DataWeb network.
“They have everything in there — from ad campaigns to thousands of orders details, with full customer payment details exposed, with IP addresses tracked down for milliseconds,” said Diachenko, who also blogged about the discovery.
However, there’s no evidence to suggest that any PegasusCart data had been exposed.
Todd Nelson, co-founder of PegasusCart, said in an email that the owners of the site “explained that as of a year or so ago, their data was moved to an outside cloud based e-commerce platform.” (At the time of writing, FuturePets.com still used PegasusCart on its website.)
“If they were breached on their web server and any data were found, it would be very old and likely quite useless, but they jumped into action anyway,” he said.
“They have solicited a security firm to investigate the issue and plug any hole should one exist,” he added, but didn’t say if the company would inform its customers of a breach.
The upside to the story is that the exposure has stopped, but it’s not clear who else may have accessed the data — or if that data, such as credit card information, has been used.
Gone are the days where hackers will target en masse the larger companies, rare as those attacks are, because of the stringent security measures and systems in place. In other words, it’s harder than ever before to target the highest echelons of big business.
Instead, criminals out to make a few bucks are ever increasingly targeting smaller firms, who may not be as invested or knowledgeable in security.
According to Juniper Research, smaller companies usually have “less of a network to keep under control” than larger organizations, but “even small data breaches are likely to take a much larger toll on businesses with a smaller turnover.”
With a data exposure live on the internet for at least six months, there’s no telling where the data has gone. But what’s clear is that if a security researcher found it, it’s possible that others have, too.
