- Cybernews found an Elasticsearch instance with 870,000 unique records
- They were generated by Collectionbles.com, a major collector’s card market
- The database was locked ten days later
Collectibles.com, an important collector’s market, has disclosed sensitive information on hundreds of thousands of users, exposing it to a risk of identity theft, wire fraud, phishing, etc., said experts.
It is according to the research team of CybernessWho recently discovered and reported, an Elasticsearch instance not protected by words of words.
The team found a group of 300 GB of precious user data, with more than 870,000 recordings, each representing a different person, noting how “exposure of user details and transaction stories presents a significant security risk, potentially allowing identity theft, targeted fraud and sharks.”
Work around safety solutions
Formerly known as Cardbase, Collection.com, is an online market and a management platform for collectors, allowing users to follow, buy and sell various collectibles, including commercial cards, comics and memories. In a press release in 2024, the company said it had around 300,000 users.
The Data Collectibles.com A Fauit includes people’s complete names, their email addresses, profile photo links, other user account details, collective card sales and transactional data.
Cyberness Contacted the company to report its conclusions, “but in addition to an automated response, the company did not recognize data leak,” they said.
The body was closed ten days later, although we did not know how long it was open before being discovered. Nor do we know if malicious actors have discovered it before CybernessAnd maybe even used phishing data.
The databases exposed remain one of the main causes of data leaks. Many organizations bring data from sensitive customers to a cloud database, some of which do not understand that with the cloud, security is shared responsibility.
Security researchers and cybercriminals can use tools such as Shodan or Elasticsearch to find these databases and use the information found to execute all kinds of scams.
