Children’s Educational Site Exposes Thousands of User Accounts and Payment Data
One of the biggest rules of data storage is to protect payment details of customers and taking every step possible to prevent unauthorized people to access stored cardholder data many companies use 3rd party merchant accounts to avoid processing payments.
ABCya.com Data Leak
ABCya claims to be the leader in free educational kids computer games and activities for elementary students to learn on the web and has an estimated monthly 4 million visitors per month. The site offers a wide range of games and tools to help children learn with educational games and tools. They claim “Millions of kids, parents, and teachers visit ABCya.com each month, playing over 1 billion games last year”. ABCya offers monthly subscriptions ranging from $6.99 to $29.99 and had the credit card data stored on a misconfigured database that was publically available.
- credentials and info of 11k+ archived customers (incl. IPs, emails, names, temporary access code, hashed and salted passwords)
- credentials and info on 21k+ active customers (incl. credit cards details such as hashed ID, fingerprints, expiration year and month, last 4 digits and card name in plain text).
- more than 3k+ Stripe tokens and info
- credentials of 4 “super admin” users for ABCya with encrypted/salted passwords and details.
The MacKeeper Security Research Team sent notifications on May 19th and received no response but noticed that databases are now secured and not publically available.
With each and every data breach it becomes clear that companies who store customer data must take every precaution to protect that data. Companies who store and collect credit card data have an additional responsibility and nearly every credit card provider discourages businesses from storing credit card data.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Research Center.