The store opened 110,000 bank cards of its customers and did not want to close the vulnerability for 6 months

Recently, there has been so much news about hacking companies and leaks of personal data that site owners must have taken extra precautions to prevent this, you think. As if not so. Maybe in some large companies they thought about how not to lose their capitalization by tens of millions of dollars, like Yahoo before selling (when the facts of major hacks surfaced). But many small businesses and did not lift a finger.

In November 2016, security companies from the Kromtech Security Research Center discovered a database with complete information about customers of one of the largest online pet stores in the US - more than 110,000 bank card entries, some with CVV codes.

Employees of Kromtech Security Research Center immediately sent the store owners a notification about an incorrectly configured database on the server, due to which information from the database is available online to everyone. Synchronization of data between the store servers using the rsync protocol is carried out without a password, that is, anyone with an rsync client and an internet connection can download the entire database.
')
They hoped that the owners would immediately close the vulnerability, but received no response. They sent notifications three times and once tried to contact the owners by phone, but to no avail. Within six months, the situation has not changed .

Experts did not find another way out except to disclose the fact of vulnerability, although they did not give a specific company name or website name. However, you could not hide the sewing in the bag, and colleagues quickly dug out that we are talking about the FuturePets.com Texan store (note: at the time of this writing, the server was turned off, issued HTTP Error 404, and resumed work after a few days). The store is designed by Texas Web Studio DataWeb Inc. which has developed many other similar sites with pet products. Portfolio presented on their home page. It is likely that similar sites can be searched for on these sites. DataWeb owns the PegasusCart payment platform. This platform serves the sites of stores developed by DataWeb.

MacKeeper representatives warn that for such careless handling of financial data of clients, the company not only risks reputation, but also has specific legal responsibility. They violate the Payment Card Industry Data Security Standard (PCI DSS). For his violation of a punishment. Besides the fact that financial information is not properly protected, another rule has been violated: the CVC, CVV and CVV2 numbers should not be stored in the system, even in encrypted form. This is clearly stated in clauses 3.2 and 3.4 of the PCI DSS standard.


There are 193,337 records in the database containing names, addresses, postal addresses and other identification data about customers, telephones, bank card numbers, card expiration dates, cardholder names, etc. Although the database does not have a CVV field as such, but some fields contain this code, probably by mistake.



The total number of available bank cards is 110,429. There are records in the database since 2002, so a large number of cards are already expired, but there are many cards added in 2015 and 2016, in some cases with CVV codes.

On the black market, information on bank cards is sold at a price of just over a dollar apiece. Researchers say that the pet store database is one of the largest leaks of payment cards in history.



Surprisingly, here the hackers didn’t even need to hack anything - just set up the Rsync client to get the broadcast from the company's server during synchronization.

There are ways on the Internet to cash money from someone else’s card, even without knowing CVV, only by a 16-digit number, the name of the owner and the expiration date. For example, in this way you can pay for hotel rooms, buy goods on Amazon and in other stores (it’s best to buy gift cards that are anonymous and easy to sell). So the leak is really serious.

Security experts say that it is the websites of small online stores that have become the most attractive target for hacking in terms of the combination of benefits and ease of hacking. They simply have fewer resources and qualifications to defend themselves. According to a survey by SecurityMagazine, only 31% of small businesses "have taken active steps to protect against security hacks, and 41% are not aware of these risks at all ." It seems that someone will have to pay for ignorance.