An online retailer based in China that resold access to streaming services and other products kept private customer information in a database that was openly accessible on the Internet, according to a report by a security researcher published this week.
On Tuesday, cybersecurity expert Jeremiah Fowler said the company, Z2U, stored private information like credit card numbers, government documents and other material in an online database that could be viewed by anyone with knowledge of its location on the Internet.
The database reportedly included the personal information of more than 600,000 customers who used Z2U’s online brokerage service to buy credentials to streaming services like Netflix, HBO Max and Disney Plus as well as online services and software like Amazon Prime Video, Microsoft Office, Norton 360 and Adobe Photoshop.
Some of Z2U’s customers appear to be people who want access to the services or products in countries where they are not offered, while others seem to buy login information that is misappropriated from account holders without their knowledge. Fowler said customers were offered access to Disney Plus for as little as $17 a year, even though Disney charges $110 for an annual subscription. Netflix accounts went for as low as $1, far below the streamer’s usual price of $15.50 per month.
“All of these companies have some form of data policy or terms of use agreement that prohibits selling, licensing, or the purchase of any account or access to services using someone else’s account,” Fowler wrote in his report. “Although Z2U claims to not sell stolen, hacked, or cracked accounts, it is unclear what the verification process is other than buyers requesting a refund when the account is restricted, suspended, or no longer works.”
A small sample of customer information viewed by Fowler included images of credit cards, photos of customers holding their government-issued ID cards, user logins, e-mail addresses, account passwords, order confirmations, software license keys and credentials to social media accounts.
Fowler said the records that show customers holding their ID cards is particularly problematic, because criminals can misappropriate those images to commit identity theft.
“The criminal could easily open new accounts or purchase products and use the same leaked images of victims to verify or validate the new fraudulent accounts,” he said.
Fowler said he immediately sent a notice to Z2U, but the database remained online for at least another week. He eventually notified the website VPNMentor, where his report on the database breach was published.
“Buying accounts or access credentials can create a much bigger security issue when customers are required to provide sensitive personal information to companies that operate in countries or regions with limited data protection,” Fowler wrote. “We imply no wrongdoing by Z2U or their customers and only highlight the details of our discovery to identify real world risks. In this data exposure there were thousands of images containing PII and payment or billing information.”
Fowler said he wasn’t sure how long the database was online, or whether cyber criminals had already accessed any data with personal information. Customers who bought or sold credentials through the Z2U marketplace should take steps to ensure their identity is not stolen.
