Cybersecurity Researcher Jeremiah Fowler discovered and reported to WebsitePlanet about a non-password protected database that held nearly 260k files containing images of credit cards, identification documents, personally identifiable information, and other potentially sensitive information.
The publicly exposed database contained 257,562 records with a total size of 198.3 GB. Upon further research, there were indications that the database belonged to a company called SoftwareProjects. There were thousands of documents that disclosed personally identifiable information (PII) of both clients and affiliates. However, a large number of the documents in the exposed database also referenced an entity named BuyGoods. To ensure that I knew who was the correct owner of the database, I called BuyGoods customer support and was told that both entities are connected and that SoftwareProjects is the corporate operating name of the business. I immediately sent a responsible disclosure notice and received the following message via e-mail: “Thank you for letting us know about this. The access issue to the directories list has now been resolved. We are moving all PII data away from those public buckets”. Despite efforts to resolve the issue, it appeared that the database was still accessible for some time before being restricted.
The database was marked as CDN, which typically stands for a content delivery network or content distribution network. This is where documents and files are stored to speed up the load time of an application, website, or other data-heavy web-based tools. I saw many internal documents such as invoices, refunds, affiliate payouts, sales and accounting data, and much more. The most concerning discovery I saw was approximately 18,000 order verification files that included images of personal identification documents, pictures of individuals holding said identification documents, and credit cards from customers worldwide.
In a separate folder, there were verification documents for affiliates. These affiliate records could be potentially more sensitive than customer records because cyber criminals would be aware that these individuals are engaged in business activities and could potentially be more valuable targets for theft or fraud. It is important to note that I did not access or analyze these files in detail to respect privacy, ethical, and legal boundaries.
There were a range of other files and documents inside the database. I saw a folder with thousands of invoices that included customer PII. In addition to the invoices, there were also refund documents, bank transfer records, and .csv files that included thousands of earnings reports that showed ABA account numbers of affiliates. Exposed bank accounts and routing numbers could potentially allow criminals to attempt unauthorized bill payments or money transfers. There were also many internal programming files required for website or application functionality inside the database. Each of these records presents a unique potential security threat when publicly exposed.
SoftwareProjects was founded in 2003 as a web development agency and in 2015 changed their business to focus on developing an eCommerce shopping cart platform. According to their website, SoftwareProjects is a leader in performance marketing, servicing more than 10,000 customers every day in 17 countries. BuyGoods is a global e-commerce platform that facilitates online transactions for various products and services. They provide a platform for merchants to sell their goods and services, and for consumers to make online purchases. BuyGoods also offers a bundle of tools for tracking and analytics, automated reporting features, and a publisher marketplace for various businesses and vendors. Vendors utilizing the BuyGoods platform appear to sell a wide range of products, including physical goods, digital products, or services.
This is a collage I created of screenshots showing how the identification documents and credit cards (details redacted) were presented in the database. These documents appear to belong to individuals from around the world.
This screenshot shows a verification image of the individual holding their identification document, details of which have been redacted. This same image could hypothetically be used to open fraudulent accounts when only a picture is needed for Know Your Customer (KYC) requirements.
The database also contained screenshots of the internal dashboard and the accounts of customers or affiliates.
This screenshot shows payment information that includes names and account numbers (redacted). This specific document shows a refund of $33,840 and $727, indicating there are substantial sums of money in the exposed accounts.
This screenshot shows that the database contained voicemail files, which an affiliate used for their “Trump Bucks” business. Trump Bucks is a fake currency in the form of coins, checks, and cards that were sold to supporters of the former president Donald Trump. The companies that sold these items claimed that the currency would be made legal when Trump was returned to the presidency. It appears the fake currency was offered to customers before the Trump Bucks website was taken down in June. There were multiple complaints that the currency was worthless and, therefore, a scam. Victims invested thousands of dollars in Trump Bucks.
This screenshot shows .js files inside the database. JavaScript is a programming language and a core technology for web development that runs in web browsers. Exposed JavaScript files could potentially be manipulated to add malicious code to a website, which could lead to various cybersecurity risks.❮❯
Note: All sensitive details in the images above have been thoroughly redacted to protect the privacy and security of the individuals concerned. Our intent is not to expose personal information but to highlight the potential risks of such data being accessible through breaches.
Potential Impact / Risks
It is unknown if the data was accessed by anyone else and only an internal audit by Software Projects would identify additional access. Exposed JavaScript (.js) files in a data breach have potential risks and numerous security vulnerabilities. JavaScript files contain the code that provides websites or applications with the functionality. If malicious actors have access to these code files, they can potentially identify vulnerabilities and exploit them. The highest potential risk is that attackers could inject malicious scripts or launch attacks like Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF).
In some cases, JavaScript files may contain sensitive information such as API keys, database credentials, or even passwords. It is hypothetically possible for attackers to modify these files and introduce malicious code that redirects users to phishing sites, where the hackers could harvest sensitive information entered on the website or prompt the users to download malware. It should be noted that I am not claiming that SoftwareProjects, BuyGoods, or any other affiliated service was affected or was ever at risk. I am only providing a real-world example of how these specific files could be a potential security risk.
Any data breach involving driver’s licenses, passports, military ID cards, or other identification documents poses significant risks and can have broader personal privacy implications. Identification documents contain information such as full names, addresses, dates of birth, and license numbers. Criminals who gain access to sensitive personal information combined with high-resolution images of documents could potentially commit identity theft, conduct fraud, open new accounts, apply for credit or loans, or engage in other illegal activities using the victim’s name and identification. When a criminal impersonates the victim, it could potentially lead to very serious risks to personal and financial privacy that can take years to recover from. These potential risks could include financial losses, damage to credit scores, or even legal consequences.
Exposed credit card data can be used for unauthorized transactions and other forms of financial fraud. Criminals may make purchases, withdraw funds, or conduct other illicit activities using the stolen credit card information. The potential risk of financial losses for individual cardholders can be particularly significant and create a complicated path of reporting and recovering stolen funds or fraudulent purchases. These unauthorized charges could negatively impact an individual’s credit score and result in difficulties obtaining new credit accounts; they could be forced to pay higher interest rates, or even be denied when they apply for credit applications.
Whenever there is a data breach where credit card and personal ID information has been exposed, there are potential risks. I recommend customers or affiliates who may have had their personal or payment information exposed take proactive measures and be on the lookout for anything suspicious. Here are a few basic steps anyone can take if they believe their data was affected:
Monitor credit and debit accounts to ensure the transactions are authorized. This can help identify any suspicious activity or unauthorized charges. Regularly obtaining a credit report can also help if any new accounts have been opened in your name. If you do find something suspicious or suspect your information is being fraudulently used, you can contact the credit reporting agency in your country or region to place a fraud alert or freeze on your credit reports. A fraud alert notifies creditors to verify your identity before extending credit, while a freeze restricts access to your credit report, making it harder for identity thieves to open new accounts.
Contact your bank or credit card company and request a new card or account number. This can help secure your accounts. With any data exposure, you need to be alert for phishing attempts, which often come from unsolicited emails, calls, or messages requesting sensitive information. Criminals can use information from a data breach to try and obtain credit or banking information so it is important to verify the authenticity of such communications.
Finally, consider using an identity theft protection service that offers monitoring of your credit or personal information. It can help you identify fraudulent activity before it becomes a serious problem.
It is not clear how long the database was publicly exposed or who else may have gained access. I am not implying any wrongdoing by SoftwareProjects, BuyGoods, or any affiliates, nor do I claim that customers or affiliates were ever at risk. I am only reporting the facts of my findings and the real world risks of this kind of exposure. As an ethical security researcher, I never download or extract the data I find, and I only take a limited sample for verification purposes. This article does not represent a comprehensive investigation into the breach. Only a cyber forensic audit would determine the full extent of the breach and if there was any additional access or downloads of the documents, records, and files. Any samples taken are solely for the purpose of verifying the nature of the exposure and are handled with utmost care for privacy and legal compliance. The primary intent of this article is to inform and educate about the real-world risks associated with data exposures and to promote awareness about the importance of robust cybersecurity measures.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
So happy you liked it!
Share it with your friends!
Or review us on
3225993
50
5000
74306839
This page isn't yet translated into . If you wish to volunteer and translate it, please contact us using the contact us page
