- Cybernews found an instance of elasticsearch with 870,000 unique records
- They were generated by Collectible.com, an important collectible card market
- The database was blocked ten days later
Collectibles.com, an important collectible card market, has leaked confidential information about hundreds of thousands of users, exposing them to the risk of identity theft, cable fraud, phishing and more, experts have stated.
This is according to the research team of Cybernewswho recently discovered and reported an instance of elasticsearch not protected by raisins.
The team found a 300 GB cluster of valuable user data, counting more than 870,000 records, each that represents a different person, pointing out how “the exposure of user details and transactions records proposes a significant security risk, which can allow identity theft, directed fraud and accounts of accounts.”
Working around security solutions
Previously known as Cardbase, Collectibles.com, it is an online market and a management platform for collectors, which allows users to track, buy and sell several collectibles, including commercial cards, comics and memories. In a press release of 2024, the company claimed to have approximately 300,000 users.
Data Collectable.com was filtered includes the full names of people, their email addresses, profile image links, other details of the user account, sales of collectible cards and transactional data.
Cybernews Communicated with the company to inform its findings, “but in addition to an automated response, the company did not recognize the data leak,” they said.
The instance was closed ten days later, although we do not know how long it remained open before being discovered. Nor do we know if any malicious actor discovered it before Cybernewsand possibly even used the data in Phishing.
The exposed databases remain one of the key causes of data leaks. Many organizations accumulate client confidential data in a cloud database, some of which do not understand that with the cloud, security is a shared responsibility.
Security researchers and cybercriminals can use tools such as Shodan or Elasticsearch to find these databases and use the information that is there to execute all kinds of scams.
