A Chinese online marketplace apparently unknowingly leaked hundreds of thousands of highly sensitive customer records which could have easily been used for identity fraud (opens in new tab) and other forms of cybercrime, a new report has claimed.
Researcher Jeremiah Fowler found a shady marketplace called Z2U keeping an unlocked database on a cloud server hosting roughly 600,000 records.
While Z2U advertises itself as a “reliable trade environment” for gamers, Fowler discovered many items on sale which could easily be classified as illegal, including Facebook and Instagram accounts, access to HBO, Netflix, Disney+ and other streaming services, Windows license keys, malware, viruses, and more, were all available for purchase.
To register on the site, a user must pass KYC (Know Your Customer) verification and must provide an unaltered image of an identity document, such as an ID card, or passport.
However this information, including photographs of users holding their identity documents, was sitting in the unprotected database Fowler discovered.
Furthermore, the database held records showing bank transaction payments that included IBAN numbers, user logins, emails, account passwords, order confirmations with the buyers’ names, emails, purchase details, and more.
The database was hosted on a server located in China, Fowler further explained, saying he saw a “large number” of documents and file names in Chinese.
“There could be significant intellectual property implications of selling accounts, license keys, and access to games, services and licensed software applications,” he says.
Many of the account login email addresses he was for sale used Russian email accounts, too. “It is well known in the security community that Russia and China are among the most active locations for cybercrime and both countries have a reputation of being deeply engaged in dark web or malicious activity online.”
A week after discovering the database and notifying Z2U, the company locked the database, and Fowler did not mention finding any evidence of the data actually being used in the wild – however users should still act with caution.