A web based market on which customers commerce discounted on-line accounts, license keys and malware has suffered an information leak exposing lots of of 1000’s of delicate data, based on vpnMentor.
Safety researcher Jeremiah Fowler discovered 600,000 “buyer assist attachments” associated to web site Z2U, which included pictures of people holding bank cards, passports and different ID paperwork.
Additionally uncovered within the non-password protected database have been: cost transactions together with IBAN numbers; consumer account logins, emails and passwords; and order confirmations displaying the customer’s identify, electronic mail and particulars of their buy.
Moreover, Fowler was in a position to entry screenshots of the shopper assist dashboard, communications, buy histories, account credit and refund requests.
Learn extra on misconfigured databases: Misconfigured Database Leaks 880 Million Medical Data.
Fowler mentioned the platform relies in China, as was the server internet hosting the database in query. Z2U additionally has an English language web site and a 4.5 score on Trustpilot.
It claims to be a “world main digital market buying and selling platform” for avid gamers, devoted to purchasing and promoting in-game objects.
Nevertheless, Fowler’s analysis appeared to disclose a variety of doubtful buying and selling exercise outdoors the gaming world, together with the sale of social media, streaming and even Amazon accounts.
“This bypasses the validation processes that many social media firms put in place to forestall malicious or fraudulent exercise on their platforms. The Amazon buyer (purchaser) and service provider (vendor) accounts bought on Z2U additionally pose a danger of fraud,” he argued.
“Sharing or promoting accounts raises many moral and safety considerations. I noticed paperwork indicating customers on Z2U have been promoting HBO MAX and Netflix Premium accounts for as little as $1, and Disney+ three-month subscriptions for $5. For reference, Disney+ prices $109.99 per yr, whereas sellers on Z2U provide entry for as little as $17 per yr. Within the UK it’s towards the regulation for customers to share their passwords for companies akin to Netflix, Amazon Prime Video and Disney+.”
Fowler additionally claimed to see Home windows license keys on the market “at a fraction of the actual worth” and sellers “providing viruses, malware or different malicious purposes.”
Entry to the database was closed shortly after the researcher despatched a be aware to the location in Chinese language.
“We suggest no wrongdoing by Z2U or their prospects and solely spotlight the main points of our discovery to determine actual world dangers,” Fowler concluded.
Infosecurity has contacted Z2U for remark and can replace this story if we hear again.
