Zhefengle

Online Store compromises millions of Chinese Citizen IDs

Millions of citizens have had their personal information exposed online due to yet another instance of an unprotected database. Researchers in the field of cybersecurity from CloudDefense.ai recently discovered a database created by Zhefengle, a Chinese e commerce store specializing in importing products from overseas. This particular database contained 3.3 million records of orders placed by Zhefengles customers between 2015 and 2020. Some entries included shipping addresses and phone numbers while others even contained copies of government issued identification cards.

According to TechCrunch it is not uncommon for Chinese citizens to be required to upload a copy of their ID card as part of the process when importing products from abroad. Unfortunately this database was not protected with a password allowing anyone with knowledge of its IP address to easily access it. At this time we do not know if any malicious actors discovered the database prior to the researchers or if it has been utilized in phishing attacks or identity theft incidents. However we do know that the owners promptly secured it once they were notified.

In response to inquiries from the publication the store owners stated; “We have promptly addressed the vulnerability and are currently conducting an investigation, into its cause.” Unprotected databases remain one of the prevalent ways through which sensitive data is exposed online.

In the beginning of October this year researchers discovered a database owned by Real Simple Systems that contained sensitive information about hundreds of thousands of individuals. A month earlier in September Microsoft was caught making a similar error when Wiz detected a significant vulnerability.

Microsoft Azure, a storage database in the cloud contained sensitive information including private keys and passwords. This database was utilized by Microsoft researchers who were working on Artificial Intelligence (AI) projects. It has been reported that this database had a size of 38TB. In another incident Toyota was found to have a database compromising the data of around 2.15 million users. Toyota Motor Corporation entrusted this data to Toyota Connected Corporation for management purposes. Due, to misconfiguration of the cloud environment some of the data became publicly accessible.