Security researcher Jeremiah Fowler recently discovered a non-password protected database that contained 601.84 GB and 1.16 Billion records. There were references throughout the database indicating that the data belonged to the California-based online retailer, Vevor.
Two separate data exposures: The first database was initially discovered back in early April 2022 and despite multiple responsible disclosure notices we never received a reply and the database was restricted from public access several days later. Then, on a separate IP address, the unsecured AWS server appeared again in early July 2022, when we again tried to reach out to the owner, yet again, we didn’t receive a reply, luckily the server was shortly secured.
The misconfiguration was caused by the server’s owner (VEVOR or their infrastructure vendor) and not Amazon Web Services. The data was marked as “production” and contained what appears to be various types of PII and sensitive data relating to their online operations including customer information such as first and last name, partial credit card numbers, transaction IDs, order and refund information, and much more. The payment and checkout records including names, emails, home addresses, currency, and more were exposed in both plain text and hashed. Since July, we haven’t seen the dataset exposed again. To make sure it wouldn’t appear again online and ill-intentioned hackers would find it, we waited a few months before publishing our findings.
What the database contained: 1st Exposure in April 2022: Total Size: 406.79 GB / Total Documents: 706,206,770 2nd Exposure in July 2022: Total Size: 601.84 GB / Total Documents: 1,166,293,742
- A very large number of email addresses: There were 7 folders named “email-API” with 8.1 million records, which comes up to about 31.64GB in total. Based on a limited sampling of 10,000 records, were found 2,559 email addresses that appeared to be unique.