Purchase automation software delivered shortened URLs without protections.
Baby clothes retailer Carter’s inadvertently exposed the personal data of hundreds of thousands of its customers, dating back years, according to a new disclosure.
The issue started with Linc, which is a vendor the company used to automate purchases online, according to analysts with vpnMentor who first discovered the issue. The Linc system was delivering customers shortened URLs with Carter’s purchase and shipping details without basic security protections. The links contained everything from purchase details to tracking information and more.
“Furthermore, by modifying the Linc URLs (to which the shortened URLs were redirecting), it was possible to access backend JSON data, which revealed even more personal information about customers that wasn’t exposed by the confirmation pages, such as: Full names delivery addresses and phone numbers,” the report explained.
The analysts calculated that more than 410,000 records, and hundreds of thousands of customer records, were exposed in the leak — which they estimated dates as far back as 2015.
“Those shortened URLs were easily discoverable to hackers due to a lack of sufficient entropy or compensating security protocols,” the vpnMentor analysts wrote. “Carter’s also put no authentication in place to verify that only the person who’d made the purchase could visit the confirmation page.”
Compounding the risk, the researchers found that the links never expired, meaning customers who might have purchased from Carter’s years ago were still potentially in danger.
Carter’s Customers Exposed to Phishing Scams, Other Fraud
This kind of granular customer data could be used by threat actors in a fraudulent phishing campaign appearing to be from Carter’s, to scam victims into giving up even more sensitive data, like credit-card information.
“For more recent orders, hackers could simply ring up a Carter’s customer to discuss purchases made and pose as couriers or customer support, building rapport with the target and ensnaring in criminal schemes,” the vpnMentor researchers warned. “Finally, for any purchases still on their way to a customer, hackers could redirect deliveries and steal them, reselling any Carter’s stolen products online.”
When the team contacted Carter’s on March 17 with the details of the breach, they were told to submit the report through other channels, rather than directly to the company. Eventually the shortened URLs were deactivated, according to vpnMentor’s report, sometime between April 4 and 7.
Carter’s, which accounts for 25 percent of the total $3 billion baby apparel market, was not able to be reached for comment. Linc, the vendor identified as sending out unprotected shortened URLs, also did not respond to requests for comment from Threatpost.
Researchers with vpnMentor suggested that Carters’ customers who are concerned that their data might have been part of the breach should contact the company directly for answers.