Cybersecurity researcher Jeremiah Fowler discovered a severe data exposure resulting from a misconfigured cloud database associated with BuyGoods.com, a global ecommerce marketplace. The unprotected database, totaling 198.3 gigabytes, lacked security authentication, making it openly accessible to the public. It contained over 260,000 records, including affiliate payouts, refund transactions, invoices, and sensitive Personally Identifiable Information (PII) and Know Your Customer (KYC) data. The exposed information encompassed customers’ personal documents like selfies, identification cards, passports, and unredacted credit card details, potentially impacting users across 17 countries.
BuyGoods.com, based in Wilmington, Delaware, serves as a business management platform for product owners, marketers, and online shoppers, boasting a user base of 3 million consumers across 17 countries. Despite the swift acknowledgment by BuyGoods.com after Fowler’s responsible disclosure, stating the access issue had been resolved, the researcher found that the server remained exposed for some time, posing ongoing risks. Fowler promptly notified the company about the security concern, but the database continued to be accessible, raising concerns about the effectiveness of the resolution and the potential impact on global users.
The data leak revealed not only financial and transactional records but also highly sensitive personal documents, amplifying the severity of the privacy breach. Despite BuyGoods.com’s assurances, the extended exposure of the database underscores the challenges in promptly securing sensitive information and the potential risks faced by individuals worldwide due to the misconfiguration. The incident highlights the critical importance of securing cloud databases and ensuring robust measures to protect user data in the rapidly evolving landscape of online transactions and ecommerce platforms.
