Carter’s, a US baby clothes retailer, for years accidentally exposed the personal information of hundreds of thousands of customers, the researchers with vpnMentor revealed.
The issue stemmed from Linc, a vendor that handled the company’s URLs during online purchases. Researchers found that the Linc system distributed customers’ shortened URLs without any security protection.
The exposed data included: Full names, email addresses, and phone numbers. An attacker also could modify Linc’s URLs to expose more data:
“Furthermore, by modifying the Linc URLs (to which the shortened URLs were redirecting), it was possible to access backend JSON data, which revealed even more personal information about customers that wasn’t exposed by the confirmation pages, such as: Full names delivery addresses and phone numbers,” the report explained.
Over 410,000 records, hundreds of thousands of customer records, and more were exposed as the result of the lack of protections. The exposed data goes back to 2015, according to analysts.
The shortened URLs were easily discovered by hackers due to the lack of security protocols:
“Those shortened URLs were easily discoverable to hackers due to a lack of sufficient entropy or compensating security protocols,” the vpnMentor analysts wrote. “Carter’s also put no authentication in place to verify that only the person who’d made the purchase could visit the confirmation page.”
The researchers discovered that the links on Carter’s website were active years after they were first exposed.
This data could be used by criminals to target consumers in phishing campaigns that purport to be from Carter’s. Aside from that, hackers could also use this customer information to run criminal schemes:
“For more recent orders, hackers could simply ring up Carter’s customer to discuss purchases made and pose as couriers or customer support, building rapport with the target and ensnaring in criminal schemes,” the vpnMentor researchers warned. “Finally, for any purchases still on their way to a customer, hackers could redirect deliveries and steal them, reselling any Carter’s stolen products online.”
The team reached out to on March 17 to report the issue. The shortened URLs were later deactivated by Carter’s.
