Vistaprint Customer Calls and Emails Exposed on Database

Laura BednarCybersecurity and VulnerabilitiesLeave a Comment

Vistaprint Database Exposure

Another large corporation has left itself vulnerable to cyber attacks after leaving a database exposed with no password protection. Vistaprint, a popular printing company for cards, stationery, and other printed materials left customer service interactions exposed including:

  • Names
  • Email Addresses
  • Phone Numbers
  • Date and Time of interaction with customer service
  • TP-Link AC1750 Smart WiFi router

There were 51,000 customer service interactions stored in the database. Security researcher Oliver Hough, discovered the vulnerability last week, but was first discovered by the exposed device and database search engine, Shodan.

Contact Us Now

Deep Dive into Data

One would think that leaving the basic information listed above open to any hacker or cybercriminal would be bad enough. However, the consequences of this hack go far beyond leaking personally identifiable information.

Each interaction with a customer service representative was documented in this database. The cases scanned the customer queries to determine their complaint and its severity. The cases considered to be “priority” cases, were pushed higher in the queue. Going further, one table on the system contained a line-by-line online chat interaction with support agents.

This table includes data on the customer’s browser and network connection, the person’s location, the operating system for their computer, and their internet provider. These chats also included order numbers and tracking numbers for mail delivery. All of this information could expose a customer’s whereabouts and their technology use, opening them up to potential harm.

Securing Systems with Simple Solutions

After receiving word that the unencrypted database without any password protection was exposed, Vistaprint took it offline quietly. The company later released a statement expressing their concern and stating they would investigate to understand what happened and how to prevent it from happening in the future.

At the time of the statement, the company said they were unsure if any data had been accessed by anyone other than the security researcher. Researcher Hough found the database wasn’t sending or receiving data and was perhaps a holding cell for the data between transfers.

This is not the first database to be left exposed without any protection. Hundred of thousands of Facebook user data was left exposed in April of this year, and that was only part of the first six months of data exposure. A report from Risk Based Security found that there were 3,800 publicly disclosed breaches with 4.1 billion compromised records in just six months of 2019. The worst part is that 3.2 billion of those records came from just eight breaches.

Companies of all sizes need to implement strong and complex passwords for all databases and storage systems that house sensitive information. Using sites like LastPass allows you to keep your passwords straight for multiple sites and systems while maintaining complexity to prevent unauthorized access.

If your system has been breached or exposed, SecureForensics can help. Our examiners can end a data breach, find what information was compromised, and find the person or entity behind the attack. Call 1-800-288-1407 to learn how we can help.