Cybersecurity researchers from Cybernews have uncovered two misconfigured Azure Blob Storage containers containing more than 1.6 million files, primarily shipping email confirmations.
The vast majority of the leaked data appears to belong to American customers, though some affected individuals are located in Canada and Australia.
The emails were linked to purchases from Etsy, TikTok shops, Poshmark, and a vendor called Embroly. Most exposed files were HTML versions of shipping confirmations, containing sensitive customer information such as full names, home addresses, email addresses, and shipping order details.
While it’s unclear who owns the storage buckets, metadata suggests the orders originated from custom embroidery services based in Vietnam, potentially a single operator running multiple storefronts across global e-commerce platforms.
Serious Privacy Implications
Etsy, in particular, is a prominent marketplace for millions of small businesses. According to researchers, this kind of data exposure has serious implications for the privacy and safety of its customers.
This goes beyond privacy; it’s an opportunity for bad actors. With access to personal details like names, addresses, and order contents, malefactors could convincingly impersonate Etsy or a shipping provider to launch targeted phishing campaigns.
Unfortunately, follow-up emails that include the exact product a customer ordered, their name, and address have a level of specificity that makes fraudulent messages look real. This increases the chances of a victim clicking a malicious link, confirming sensitive information, or even making a secondary payment.
The researchers warned: “With access to personal information like full names and addresses, attackers could impersonate trusted shipping providers or Etsy itself, making fraudulent communications seem more credible and urging victims to take actions such as confirming personal details, making payment, or clicking malicious links.”
Even more concerning is the potential for malware delivery. By crafting messages referencing recent orders, attackers could trick users into downloading harmful files or visiting malicious websites, turning a simple confirmation email into a threat vector.
Ownership Unknown, But Patterns Emerge
Although the exact owner of the misconfigured storage instance hasn’t been identified, its contents point to custom embroidery order processing, with several references to Vietnamese design services. This suggests a likely single seller operating across multiple platforms, with Etsy being the most affected.
However, any identifying information about who owns or operates the exposed cloud instance is missing. That makes accountability and remediation tricky.
How to Prevent Exposure
The breach highlights how even small misconfigurations in cloud storage can result in large-scale data leaks.
To prevent future incidents, researchers recommend a multi-layered approach to cloud security, including:
- Enforcing strict access controls to prevent unauthorized access to cloud resources
- Reviewing storage access logs for suspicious activity
- Enabling server-side encryption for data at rest
- Using Azure Key Vault for secure key management
- Ensuring secure transmission through SSL/TLS encryption
- Conducting routine audits and training staff on best practices for data protection
Bottom line: E-commerce platforms like Etsy may feel like safe spaces, but third-party sellers and poor cloud hygiene can expose even the most careful customers.
Inherent Risks in Online Shopping
“The exposure of 1.6 million files containing shipping confirmation emails from major online marketplaces, highlights a critical cybersecurity vulnerability in e-commerce infrastructure, says Javvad Malik, Lead Security Awareness Advocate at KnowBe4. “This breach, affecting primarily U.S. customers, underscores the risks inherent in online shopping ecosystems despite their perceived security.”
Malik says the leaked data, including personal details and order information, presents a significant threat for potential misuse in phishing, identity fraud, and financial scams.
“It emphasises the urgent need for implementing and ongoing assurance for cloud storage security measures. While cloud security controls are available, organisations need a culture of security to ensure that every employee understands the role they have in securing data and the infrastructure to ensure incidents don’t occur. It underscores the crucial balance between technological solutions and human vigilance in maintaining effective cybersecurity postures, essential for preserving both data integrity and consumer trust.”
Third-Party Blind Spots
“Cybersecurity blind spots in third-party supply chain integrations occur daily when developers or unknowing users assume that either using obfuscation or hiding sensitive information is enough to secure cloud-connected services. It is not,” adds James McQuiggan, Security Awareness Advocate at KnowBe4.
“When customer data is exchanged between platforms, especially in retail and e-commerce, sensitive information like names, home, and email addresses become soft targets if they are not properly secured. Security by obfuscation is not security at all. Every third-party connection is part of an organization’s attack surface. If those links to the supply chain aren’t continuously validated, monitored, and configured with the least privilege, then the risk is significant. Organisations must move beyond vendor security compliance on paper and treat every external connection as a live endpoint under threat,” McQuiggan ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.