1. Forum
  2. Fidonet
  3. CONSPRCY

  • Top collectibles site lea

    From Mike Powell@1:2320/105 to All on Fri Mar 21 10:30:00 2025
    Top collectibles site leaks personal data of nearly a million users

    Date:
    Thu, 20 Mar 2025 17:04:00 +0000

    Description:
    Cybernews found a non-password-protected database containing Collectibles.com user names, addresses, and more.

    FULL STORY ======================================================================
    - Cybernews found an Elasticsearch instance with 870,000 unique records
    - They were generated by Collectibles.com, a major collectible cards marketplace
    - The database was locked ten days later

    Collectibles.com, a major collectible cards marketplace, has been leaking sensitive information on hundreds of thousands of users, exposing them to
    risk of identity theft, wire fraud, phishing, and more, experts have claimed.

    This is according to the research team from Cybernews , who recently discovered, and reported, a non-password-protected Elasticsearch instance.

    The team found a 300GB cluster of valuable user data, counting more than 870,000 records, each representing a different person, noting how, The
    exposure of user details and transaction histories poses a significant
    security risk, potentially enabling identity theft, targeted fraud, and
    account takeovers."

    Working around security solutions

    Formerly known as Cardbase, Collectibles.com, is an online marketplace and management platform for collectors, allowing users to track, buy, and sell various collectibles, including trading cards, comics, and memorabilia. In a 2024 press release, the company claimed to have roughly 300,000 users.

    The data Collectibles.com was leaking includes peoples full names, their
    email addresses, profile picture links, other user account details,
    collectible card sales, and transactional data.

    Cybernews reached out to the company to report their findings, but besides
    an automated response, the company did not acknowledge the data leak, they said.

    The instance was closed ten days later, although we dont know for how long it remained open before being discovered. We also dont know if any malicious actors discovered it before Cybernews , and possibly even used the data in phishing.

    Exposed databases remain one of the key causes of data leaks. Many organizations hoard sensitive customer data in a cloud database, some of
    which dont understand that with cloud, security is a shared responsibility.

    Security researchers and cybercriminals alike can use tools like Shodan or Elasticsearch to find these databases and use the information found there to run all kinds of scams.

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/top-collectibles-site-leaks-personal-da ta-of-nearly-a-million-users

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)