Recently I discovered a non-password protected database that contained a massive amount of records. The total size of the dataset was 601.84 GB and the total number of documents were over 1,16B. Upon further research there were multiple references throughout the database indicating that the data belonged to the California-based online retailer, Vevor .com. According to Crunchbase they are registered in the US, but based on publicly available details on their website (for e.g. privacy policy), it appears to be a China-based company. According to their website: “VEVOR is a leading brand that specializes in equipment and tools.

Two separate data exposures: The first database was initially discovered back in early April 2022 and despite multiple responsible disclosure notices we never received a reply and the database was restricted from public access several days later. Then, on a separate IP address, the unsecured AWS server appeared again in early July 2022, when we again tried to reach out to the owner, yet again, we didn’t receive a reply, luckily the server was shortly secured. The misconfiguration was caused by the server’s owner (VEVOR or their infrastructure vendor) and not Amazon Web Services. The data was marked as “production” and contained what appears to be various types of PII and sensitive data relating to their online operations including customer information such as first and last name, partial credit card numbers, transaction IDs, order and refund information, and much more. The payment and checkout records including names, emails, home addresses, currency, and more were exposed in both plain text and hashed. Since July, we haven’t seen the dataset exposed again. To make sure it wouldn’t appear again online and ill-intentioned hackers would find it, we waited a few months before publishing our findings. Read my Full Report Here