- Cybergenws found an ElasticSearch instance with 870,000 unique items
- They were generated by Collectibles.com, a larger marketplace for collectibles
- The database was locked ten days later
Collectibles.com, a larger marketplace for collecting objects, has leaked sensitive information about hundreds of thousands of users and exposed them to the risk of identity theft, thread fraud, phishing and more, experts have claimed.
This is according to the research team from Cygenerwsthat recently discovered and reported a non-passord-protected elastic search instance.
The team found a 300GB cluster of valuable user data that counts more than 870,000 items, each representing another person, noting how “exposure of user information and transaction stories pose a significant security risk, which potentially enables identity theft, targeted fraud and account taking over.”
Works around security solutions
Formerly known as Cardbase, Collectibles.com, is an online marketplace and management platform for collectors that allow users to track, buy and sell different collectibles, including trading cards, comics and memorabilia. In a press release from 2024, the company claimed to have approx. 300,000 users.
Data Collectibles.com leaked includes people’s full names, their E -Mail addresses, profile picture -links, other user account information, sale of collector objects and transaction data.
Cygenerws reached out to the company to report their conclusions, “but besides an automated response, the company did not recognize the data leak,” they said.
The incidence was closed ten days later, although we do not know how long it remained open until we were discovered. We also don’t know if any malicious actors discovered it before CygenerwsAnd possibly even used the data in phishing.
Exposed databases continue to be one of the main causes of data leaks. Many organizations store sensitive customer data in a cloud database, some of which do not understand that with Sky is security is a shared responsibility.
Security researchers and cyber criminals can use tools such as Shodan or ElasticSearch to find these databases and use the information found there to run all kinds of fraud.
