Key Takeaways:
- 5 million U.S. credit cards and personal details leaked online.
- The exposed data poses immediate threats of fraud, unauthorized transactions, and identity theft.
- The party responsible for this breach remains unknown.
- The AWS Abuse team initiated an investigation based on Leakd.com information.
As the festive season approaches, an estimated millions of Americans may find their Christmas at risk after a shocking data breach exposed 5 million unique credit and debit card details online
The Leakd.com security team has discovered that 5 terabytes of sensitive screenshots were exposed on an unsecured Amazon S3 bucket, a cloud storage service provided by Amazon Web Services. These screenshots often featured unsuspecting users entering sensitive details into “too-good-to-be-true” promotional forms for fake offers, like free iPhones or heavily discounted holiday gifts.
While it’s unknown how long this data has been online, it’s now threatening to disrupt the holiday shopping season for potential victims as well.
The Danger of Too-Good-To-Be-True Offers
The leaked screenshots often featured instances of users entering personal and financial details into seemingly innocent promotional forms.
These offers, promising rewards like a free iPhone 14 or heavily discounted items, were just traps. With prices as low as $3, they often hid deceptive disclaimers about trial periods and auto-renewal charges.
However, what users didn’t realize was that their sensitive information was being captured and stored.
Exposed Data:
- Full Names
- Billing Addresses
- Email Addresses and Phone Numbers
- Credit Card Details
Many of the screenshots included the logo of “Braniacshop” and similar generic names, often associated with the titles “Win an iPhone 14.” While Braniacshop’s exact role remains uncertain, its connection to the data raises concerns about deliberate data harvesting.
The Monetary Value of the Data Leak
The financial implications of this data breach are staggering. On the dark web, an average credit card, complete with associated details, is worth approximately $17. With an estimated 5 million unique U.S. credit and debit cards exposed in this breach, the potential monetary value of the stolen data exceeds $85 million. This figure underscores the lucrative nature of such breaches for cybercriminals and highlights the dire need for enhanced data security measures to protect consumers.
What This Means for the Leak Victims
The sheer scale of this breach is alarming, highlighting the failure of basic security protocols Millions of individuals are now potentially at risk of:
- Financial Fraud: Criminals can easily use the leaked credit card details for unauthorized purchases.
- Identity Theft: Leaked personal data enables impersonation and fraud.
- Privacy Violations: Sensitive data might undermine trust and security.
How to Protect Yourself
If you suspect your information may have been compromised, take these steps immediately:
- Monitor Financial Accounts: Regularly check bank statements and report any suspicious activity to your financial institution
- Enable Alerts: Set up fraud alerts with your bank or credit card provider.
- Update Credentials: Change passwords for accounts tied to your credit card or personal information.
- Freeze Your Credit: Consider a credit freeze to prevent new accounts from being opened in your name.
- Beware of Phishing Attempts: Be cautious about unsolicited communications asking for personal or financial details.
Also, as a general advice, for any new or unknown online shop we strongly recommend to use disposable or virtual payment cards.
What Authorities and Companies Must Do
The discovery of this unsecured S3 bucket demands swift action:
- Secure the Data: Immediate steps should be taken to lock down the exposed information and prevent further access.
- Notify Affected Individuals: Those affected must be informed so they can take preventive measures. Although if it’s a phishing operation, it could be impossible to do so.
- Enhance Security Practices: Companies must prioritize robust encryption, access controls, and regular audits to prevent similar breaches.
Going forward, while helping law enforcement institutions to investigate the scheme, education of your consumers might also help decrease the risk of similar incidents.
We have notified the Amazon AWS Abuse Team about this issue to mitigate the risks for consumers and secure the exposed data promptly. Thanks to the Leakd.com security team, the investigation has already been started.
