Hipshipper, an international shipping platform used by eBay, Shopify, and Amazon sellers, has exposed millions of shipping labels, revealing personal customer data, according to Cybernews.
The open instance was discovered in December, a peak month for international shipping.
“Cybercriminals can exploit leaked data to orchestrate advanced scams and phishing attacks,” Cybernews researchers say. “For example, crooks may impersonate trusted businesses and distribute fraudulent messages that leverage specific order details to demand urgent verification of personal or financial information.”
Once Cybernews contacted Hipshipper about the unprotected AWS bucket with over 14.3 million records, the company closed the exposed bucket, so the data is no longer accessible to the public.
Researchers believe the data stored on the exposed bucket included buyers’ personal details, such as full names, home addresses, phone numbers, and other order details. Cybernews said that while there’s no indication that cybercriminals got their hands on the exposed bucket, millions of malicious actors use automated bots to scour the internet for similar leaks, hoping to use data for malicious purposes.
To avoid future data leaks, Cybernews researchers advise businesses to:
- Change access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorized users or services have the necessary access.
- Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors.
- Enable server-side encryption to protect data at rest.
- Use AWS Key Management Service (KMS) to manage encryption keys securely.
- Implement SSL/TLS for data in transit to ensure secure communication.
- Consider implementing security best practices including regular audits, automated security checks, and employee training.