The data was exposed for at least six months — likely longer.
A US online pet store has exposed the details of more than 110,400 credit cards used
to make purchases through its website, researchers have found.
In a stunning show of poor security, the Austin, Texas-based company FuturePets.com
exposed its entire customer database, including names, postal and email addresses,
phone numbers, credit card information, and plain-text passwords.
Several customers that we reached out to confirmed some of their information when it
was provided by ZDNet, but they did not want to be named.
The database was exposed because of the company’s own insecure server and use of
“rsync,” a common protocol used for synchronizing copies of files between two
different computers, which wasn’t protected with a password.
Researchers at the Kromtech Security Research Center found the database in November.
But after numerous efforts to contact the company by phone and email, the database
was only secured this week.
It’s not clear who’s to blame for the breach. The pet store is understood to have
been developed by DataWeb Inc., which has built dozens of other similar pet-related
sites and owns PegasusCart, an ecommerce platform, used on all of DataWeb’s sites.
Kromtech researcher Bob Diachenko found that the leaked data wasn’t limited to just
FuturePets.com, but also appeared to contain several folders, including one that
shows several backup files and databases of transactions within the DataWeb network.
“They have everything in there — from ad campaigns to thousands of orders details,
with full customer payment details exposed, with IP addresses tracked down for
milliseconds,” said Diachenko, who also blogged about the discovery.
However, there’s no evidence to suggest that any PegasusCart data had been exposed.
Todd Nelson, co-founder of PegasusCart, said in an email that the owners of the site
“explained that, as of a year or so ago, their data was moved to an outside cloud
based ecommerce platform.” (At the time of writing, FuturePets.com still used
PegasusCart on its website.)
“If they were breached on their web server and any data were found, it would be very
old and likely quite useless, but they jumped into action anyway,” he said.
“They have solicited a security firm to investigate the issue and plug any hole
should one exist,” he added, but he didn’t say if the company would inform its
customers of a breach.
The upside to the story is that the exposure has stopped, but it’s not clear who else
may have accessed the data — or if that data, such as credit card information, has
Gone are the days where hackers will target en masse the larger companies, rare as
those attacks are, because of the stringent security measures and systems in place.
In other words, it’s harder than ever before to target the highest echelons of big
Instead, criminals out to make a few bucks are ever increasingly targeting smaller
firms, which may not be as invested or knowledgeable in security.
According to Juniper Research, smaller companies usually have “less of a network to
keep under control” than larger organizations, but “even small data breaches are
likely to take a much larger toll on businesses with a smaller turnover.”
With a data exposure live on the internet for at least six months, there’s no telling
where the data has gone. But what’s clear is that if a security researcher found it,
it’s possible that others have, too.