Database Snafu Leaks 600K Records from Marketplace

Written by

An online marketplace on which users trade discounted online accounts, license keys and malware has suffered a data leak exposing hundreds of thousands of sensitive records, according to vpnMentor.

Security researcher Jeremiah Fowler found 600,000 “customer support attachments” related to website Z2U, which included images of individuals holding credit cards, passports and other ID documents.

Also exposed in the non-password protected database were: payment transactions including IBAN numbers; user account logins, emails and passwords; and order confirmations showing the buyer’s name, email and details of their purchase.

Additionally, Fowler was able to access screenshots of the customer support dashboard, communications, purchase histories, account credits and refund requests.

Read more on misconfigured databases: Misconfigured Database Leaks 880 Million Medical Records.

Fowler said the platform is based in China, as was the server hosting the database in question. Z2U also has an English language site and a 4.5 rating on Trustpilot.

It claims to be a “world leading digital marketplace trading platform” for gamers, dedicated to buying and selling in-game items.

However, Fowler’s research appeared to reveal a wide range of dubious trading activity outside the gaming world, including the sale of social media, streaming and even Amazon accounts.

“This bypasses the validation processes that many social media companies put in place to prevent malicious or fraudulent activity on their platforms. The Amazon customer (buyer) and merchant (seller) accounts sold on Z2U also pose a risk of fraud,” he argued.

“Sharing or selling accounts raises many ethical and security concerns. I saw documents indicating users on Z2U were selling HBO MAX and Netflix Premium accounts for as little as $1, and Disney+ three-month subscriptions for $5. For reference, Disney+ costs $109.99 per year, while sellers on Z2U offer access for as low as $17 per year. In the UK it is against the law for users to share their passwords for services such as Netflix, Amazon Prime Video and Disney+.”

Fowler also claimed to see Windows license keys for sale “at a fraction of the real price” and sellers “offering viruses, malware or other malicious applications.”

Access to the database was closed shortly after the researcher sent a note to the site in Chinese.

“We imply no wrongdoing by Z2U or their customers and only highlight the details of our discovery to identify real world risks,” Fowler concluded.

Infosecurity has contacted Z2U for comment and will update this story if we hear back.

What’s hot on Infosecurity Magazine?