- Security researcher finds large unsecured database belonging to MyGiftCardSupply
- It contained images of vital documents as well as selfie photographs.
- The company has since blocked it, but users should still be careful.
Experts warned that a database containing sensitive information on hundreds of thousands of users was unprotected online, available to anyone who knew where to look.
Cybersecurity researcher JayeLTee found a database containing driver’s licenses, passports and other identification documents, which subsequent investigation determined belonged to a company called MyGiftCardSupply, which sells digital gift cards that customers can redeem online or in popular stores.
The data was hosted in Azure and contained 600,000 front and back images of various ID documents. Additionally, it contained approximately 200,000 selfies. Some companies require users to take a selfie holding a document, as proof of ownership and identity.
Complete audit
Gift cards are often abused in online scams. People who steal money, especially cryptocurrency, often buy gift cards to avoid being tracked by authorities. To eliminate fraud and comply with local regulations, MyGiftCardSupply required all customers to go through a mandatory Know Your Customer (KYC) process, which requires them to verify their identities.
Unfortunately, the company kept that data unprotected for an undisclosed period of time. We don’t know if any threat actors discovered it beforehand, but it’s a possibility. This type of data can be sold on the dark web, used in phishing and identity theft, and even abused in wire fraud.
JayeLTee said they contacted MyGiftCardSupply without success, after which they contacted TechCrunch. Responding to the post, company founder Sam Gastro acknowledged the researcher’s findings and said, “The files are now secure and we are conducting a full audit of the KYC verification procedure.”
“In the future, we will delete files immediately after performing identity verification.”
The company says it locked the database on January 1, 2025.
