Online Eyewear Websites Expose Data of 186k Customers

In October 2019 I discovered a database that contained 186,000 sales records and 40.4 million visitor IP addresses. From October 23rd, 2019 to January 13th, 2020 I sent multiple emails and left numerous voice messages. My messages were completely ignored and I can only assume based on their lack of response that they take the same approach in the protection of their customers’ data.

The sales records referenced VoogueMe.com and Zeelool.com. Upon further research it appears that the company is likely based in Hong Kong or mainland China. There were no other contact options of how to responsibly disclose my discovery and secure the exposed data except using the same email or phone numbers that customers would use. In several months was never able to reach a real person or get a reply from support. Even if VoogueMe / Zeelool isĀ  based in China, that is no excuse to not properly secure customer data and not respond to my months long campaign of disclosure notices.

According to their website: “Voogueme is a leading provider of stylish prescription eyeglasses and sunglasses. With our own factory, we boast the greatest advantage that we can offer you comfortable and stylish eyewear at the most competitive prices on the market. Beyond the price advantage, we offer you the most professional services from our state-of-the-art lab, which is equipped with among the most modern optical equipment in the industry”.

Here is what I discovered in the database:
  • This database was set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
  • 186,000 sales records that include email, IP, and other customer data.
  • 40.4 Million visitor IP addresses
  • IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper in to the network.

The real danger in an exposure like this is that it would make it easy to conduct a targeted phishing campaign. Cybercriminals would have the names, emails, billing amount, product type, and enough to potentially trick unsuspecting customers. Spammers could also target the VoogueMe and Zeelool customers. Given how long the data was publicly exposed customers should be aware that their data was leaked online and be cautious with any suspicious emails referencing their previous orders.

According to VoogueMe’s website the company was founded by “fashionista” Susan Chan. However, I could not find any contact information for her or anyone else connected to VoogueMe or Zeelool. No one has responded to my notifications at the time of publication.

 

Like this story? Please share it!

About the Author

Jeremiah Fowler
Jeremiah Fowler: Director of Security Research, Communications Specialist, Journalist and Cofounder at SecurityDiscovery.com. I care about data protection, privacy, cyber security issues, and responsible disclosure. Contact me: j(at)securitydiscovery.com Twitter: @Yoda69