eCommerce security company Sansec has revealed it's found a number of online stores accidentally leaking highly sensitive data.

After studying 2,037 online stores, the company found that 12.3 percent exposed compressed files (in ZIP, SQL, and TAR archive formats), which BleepingComputer noted appear to be private backups containing master database passwords, confidential admin URLs of stores, full customer data (PII, or personally identifiable information), and internal API keys on public-facing web folders without requiring authentication.

The Sansec Threat Research group also found multiple attack patterns coming from various IPs, suggesting that a number of threat actors have known about this online store flaw and are working to exploit it.

In a post, the researchers said:

"We have observed automated attacks against online stores, where thousands of possible backup names are tried over the course of multiple weeks. Because these probes are very cheap to run and do not affect the target store performance, they can essentially go on forever until a backup has been found."

Sansec urges online web store owners to make sure sure they aren't leaking sensitive data. Start checking if backup files are open to the public internet and, if they are, close them immediately, and investigate the store for any signs of compromise. The company recommends the following steps to site owners in the event of accidental exposure:

  • Check server logs for signs of backup file downloads.
  • Check for unauthorized admin accounts.
  • Change all passwords.
  • Implement two-factor authentication (2FA).
  • Ensure the remote database admin panel isn't showing up on the public internet.
  • Run an eCommerce malware scanner.

Lastly, to avoid creating accidental data leaks on online shops, Sansec advises owners to deploy store code on a read-only file system, schedule frequent backing up of files, restrict access to backup files, and start monitoring for online data exposure.


We don't just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.