Cybersecurity researchers have discovered over 1.6 million files stored in the cloud without any type of protection. All data exposed is linked to e-commerce site users, mostly Etsy, TikTok Shop, and Poshmark.
The exposed data, which cyber criminals likely now have in their hands, includes email addresses, shipping addresses, specific orders made by clients, and other types of sensitive data commonly found on shipping order invoices.
Here’s the inside story on what happened, who is at risk, and how this type of leak affects Apple users.
Researchers discover unprotected e-commerce user data
Cybernews recently reported that its research team stumbled across 2 unprotected Azure Blob Storage containers that exposed over 1.6 million files.
Azure Blob Storage is offered by Microsoft as a cloud storage service, specifically for large volumes of data. If these cloud storage services are not properly configured, data can be exposed. In this case, someone stored more than 1.6 million files, mostly from Etsy and TikTok Shop users.
The data exposed contained shipping email confirmations in HTML format. Most data belongs to users in the United States, along with some in Canada and Australia.
No passwords, usernames, social security numbers, or other sensitive corporate or individual data was exposed, as far as we know.
If no passwords were exposed, why is this dangerous?
Using the exposed data, threat actors could craft more convincing phishing emails, phone calls, and texts to impersonate Etsy or associated services. Criminals could also send out convincing emails with malicious links to phishing sites where users can be tricked into giving away their credentials or downloading information stealers, ransomware, or spyware.
“The recent Azure Blob Storage misconfiguration that exposed 1.6 million customer records represents a serious breakdown in fundamental cloud security practices,” AJ Thompson, CCO at Northdoor PLC, a UK-based IT services and security company, told us.
Thompson explained that the shipping confirmations provide comprehensive data to malicious actors. Basically, it gives them all the elements they need to create convincing phishing campaigns.
“Apple users, who typically experience fewer security threats, will find these targeted attacks especially difficult to identify as fraudulent,” Thompson warned.
Apple users, who typically experience fewer security threats, will find these targeted attacks especially difficult to identify as fraudulent.
AJ Thompson, CCO at Northdoor PLC
Third-party, cloud, and e-commerce risks for users
The core problem in this security incident is centered around cloud platforms like Azure from Microsoft and how third-party companies use these environments.
The cloud offers many advantages, like massive storage space at convenient prices. However, when poorly managed, files that should stay private are suddenly in plain sight for anyone to see.
Thompson told us that, unfortunately, this is not uncommon. He described the issue as a “persistent vulnerability in e-commerce operations where third-party vendors frequently operate with inadequate security measures.”
Who created the database and left more than 1.6 million files from e-commerce users exposed?
In a quest to understand what exactly happened, Cybernews researchers investigated who created and configured these cloud storage so poorly.
Their investigation into this specific question came up short, as researchers could not find the exact owner of the massive database. However, a careful examination of the shipping orders linked the exposed data to a Vietnamese-based embroidery service.
The term “embroidery services” refers to a subgroup of businesses that work within the textile industry. Researchers said that the evidence suggested that a single entity set up multiple shops across popular e-commerce platforms.
The customer order confirmations from sales made by the aforementioned single entity were stored in insecure cloud storage locations. It is still unknown who exactly owns the cloud service and is, therefore, responsible for the misconfiguration and leak.
How can something like this happen?
We spoke to Paul DeMott, Chief Technology Officer at Helium SEO, to understand how someone might leave so much data unprotected.
“I have experienced this before, with a client we did an eCommerce integration for who utilized a lot of plug-ins in an effort to keep everything in equilibrium,” DeMott told us.
DeMott explained that in that case, his client wasn’t even conscious that among those plug-ins, one was quietly gathering customer information in an insecure fashion.
“It did not become apparent until some strange patterns in the network were picked up in a regular audit,” he said. “The issue, though, was not a tech one; it was a trust issue, and customers lost trust, and cleanup took months.”
As DeMott explained, this security incident has nothing to do with bad coding or sloppy work. It also has little to do with threat actors hacking into anything. Rather, the dashboard seems to have been forgotten in the cloud, spilling 1.6 million emails.
“It is a reminder that apps and third-party behemoths like Etsy and TikTok Shop with tens of millions of users are inextricably linked,” DeMott said.
In other words, when users give their data to e-commerce platforms, they’re also giving it to an unknown supply chain of services, APIs, sellers, resellers, and third-party apps. And when those third-party tools are not subject to the same discipline, things go awry.
“Anyone who is constructing online should treat every integration as if it is working with live explosives since, if not closely watched, that is exactly what it will eventually become,” DeMott said.
What Apple users need to know about e-commerce and third-party data exposure
As an Apple user, you might assume that since your Mac or iPhone has strong security, this issue doesn’t affect you. Unfortunately, this is not true.
While Apple security is considered a high standard, the problem has nothing to do with Apple or your iPhone. It is centered around your data and what you share on e-commerce sites.
Data on e-commerce sites is not only accessed, managed, and stored by digital commerce giants like Etsy and TikTok Shops but also by a massive volume of sellers, resellers, and small, medium, and large businesses. These businesses may, in turn, work with third-party providers and partners, further expanding the supply chain.
For example, a design company may provide invoice services to a client that uses e-commerce sites to sell its products. When you buy a product, your data is shared with them. As you can see, these risks are widespread.
Fergal Glynn, the Chief Marketing Officer and AI Security Advocate of Mindgard, an AI Red Team Security company, told us that this leak shows how third-party apps bypass Apple’s privacy safeguards.
“While iOS protects on-device data, sharing your data with Etsy and TikTok Shop moves that data outside Apple’s control,” Glynn said.
“Although Apple offers disposable emails for privacy, many users still share personal emails for online shopping,” he added.
Use Hide My Email on your iPhone
Glynn explained that Apple’s Hide My Email feature aims to protect user information that is exposed during shipping confirmation, such as a user’s name, address, and order details.
Through iCloud, users can view their Hide My Email to see which services have active aliases.
“If users had used disposable aliases for their Etsy and TikTok Shops, they could simply deactivate them without needing to change their real emails,” Glynn said.
Moonlock recommends that Apple users do the following:
- Use Hide My Email whenever possible: Create disposable email addresses for each online store or service you use. If there’s a breach, you can disable the alias instead of changing your main email.
- Regularly audit your iCloud email aliases: Check which services are linked to your aliases and deactivate any you no longer use or recognize.
- Be cautious with third-party plug-ins and tools: Even if you’re shopping through trusted platforms like Etsy or TikTok Shop, your data might pass through less secure third-party systems.
Final thoughts
It’s not just black hat hackers and cyber criminals you need to look out for.
As online businesses become intrinsically interconnected and digital supply chains expand, the digital landscape is shifting. When you enter your data on one platform, it might as well end up on the other side of the world.
To stay safe, follow the tips provided in this report, stay updated with cybersecurity news, and take a proactive approach by using features like Hide My Email to make sure that your e-commerce data is safe from threats.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Mac, iPhone, and iCloud are trademarks of Apple Inc.
