A Database of Thousands of Credit Cards Was Left Exposed on the Open Internet

A US online pet store has exposed the details of more than 110,400 credit cards used to make purchases through its website, researchers have found. From a report on ZDNet: In a stunning show of poor security, the Austin, TX-based company FuturePets.com exposed its entire customer database, including names, postal and email addresses, phone numbers, credit card information, and plain-text passwords. Several customers that we reached out to confirmed some of their information when it was provided by ZDNet, but did not want to be named. The database was exposed because of the company's own insecure server and use of "rsync," a common protocol used for synchronizing copies of files between two different computers, which wasn't protected with a username or password.

rsync?

Most of us use rsync over SSH with key auth, which means something like RSA-2048 or 4096, or ED25519 (elliptic curve crypto, about the same security as AES-128). It is not even password-based.

So, no, it was not rsync use that left things open. It was just incompetence.

Re:unhashed passwords, unencrypted card numbers

How do "plain-text passwords" even exist? No computer anywhere should have a record of users' passwords. They should be impossible for anyone to look up.

PCI Failure at all levels

[omnichad]

Even storing credit card data at all (instead of processor authorization tokens) is a huge red flag unless they want a mountain worth of additional compliance work.

And then they store it unencrytped....

Laws that protect customer data

Aren't there laws that require companies to protect customer data? There certainly should be.