Pet Retailer Still Leaks Credit Card Data of 110K+ Customers
Recently, we have found that Futurepets.com, a US online pet store, has leaked details of more than 110,000 credit cards, which were used to shop on the website.
Moreover, we discovered that the Rsync protocol was set to stream data without any password protection. It means that anyone with an Internet connection and an Rsync client could have downloaded the data belonging to more than 190,000 customers. This data included checkout information, shipping addresses, emails, names, phones, and credit card details such as 16-digit numbers, expiration date, cardholder names, etc. There was no CVV code listed "as is", but some fields contained it, apparently by mistake...
Futurepets.com claims to be the specialty pet retailer offering services and solutions for the lifetime needs of pets.
Apparently, the problem is in the way and how the website collects and stores personal data of its customers. Our researcher made a test order and we realized that the website doesn’t use any login and password for user data backups. The amount of information that the website asked us to provide during the checkout, made us in the security community feel uneasy.
The total number of exposed credit and debit cards listed in the database is 110,429, and what is more disturbing, this list has been collecting the customer's card data since 2002. Some of the credit cards have already expired but those that were added between 2015 and 2016 are still active and in some cases, the CVV numbers of the credit cards are also listed.
When our researchers came across the database we immediately notified the owners of Futurepets.com regarding the misconfigured database, but as of this publication, we have not received any response. Hopefully, someone related to Futurepets.com will reply and secure the database. If this data were to fall into the wrong hands and be used for fraud, the folks of Futurepets.com may face reputational damage and possible regulatory actions.
According to Payment Card Industry Data Security Standard (PCI DSS), retailers do face serious potential consequences for non-compliance with standard security protocols in their daily operations. In addition, sensitive authentication data such as CVC, CVV, and CVV2 must not be stored after authorization, even if encrypted. The PCI DSS standard was created to “increase controls around cardholder data to reduce credit card fraud via its exposure.”
How credit card data may be used? In 2014, when more than 600,000 individuals had their personal details stolen from the UK companies. The credit card details were sold for only £1 per card on the dark web, and to date, it is still unknown where exactly that data was taken from. That case remains the biggest leak of credit card details ever.
Our recent investigation shows that money may be taken from the credit card even without knowing a CVV code. Cardholders claim that retailers such as Amazon may charge money from their credit cards without asking for Card Verification Value (CVV). The same happens in the hotels, which can charge or freeze the money on the credit card without knowing the CVV code.
As for the hotel, another database containing thousands of unencrypted credit card details was discovered a few months ago by the MacKeeper Security Research Center. Fortunately, the discovered DB belonging to the Silverland Hotel in Ho Chi Minh City, Vietnam, was secured within a few days, and the mistake did not result in significant damage.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Research Center.