Slashdot Mirror
A Database of Thousands of Credit Cards Was Left Exposed on the Open Internet (zdnet.com)
A US online pet store has exposed the details of more than 110,400 credit cards used to make purchases through its website, researchers have found. From a report on ZDNet: In a stunning show of poor security, the Austin, TX-based company FuturePets.com exposed its entire customer database, including names, postal and email addresses, phone numbers, credit card information, and plain-text passwords. Several customers that we reached out to confirmed some of their information when it was provided by ZDNet, but did not want to be named. The database was exposed because of the company's own insecure server and use of "rsync," a common protocol used for synchronizing copies of files between two different computers, which wasn't protected with a username or password.
I see your problem...
Far too often, it is easy to turn off/on other features of a product which make it less secure, all in the effort to just make it work. Once that's all done, there isn't always a careful examination of what the other implications of their other fiddling is.
I'd be very curious to which which other companies/contractors were involved in this setup, as they and their other customers should probably be thinking about a PCI security audit.
Help Brendan pay off his student loans
MacKeeper broke this story late November 2016 - https://mackeeper.com/blog/pos...
Even storing credit card data at all (instead of processor authorization tokens) is a huge red flag unless they want a mountain worth of additional compliance work.
And then they store it unencrytped....
I can see all the passwords on my linux system in /etc/shadow:
joe:$6$C/3J0yEO$a5VtriMUR6oyxW1kNSOSHE7fAlvWWbf4.aotAySCZATv7BB0pWPTmMRxXm5Ivg7GmswpKnJVdmnAg6FZoC7Fb1:17275:0:99999:7:::
see? The password for joe is:
$6$C/3J0yEO$a5VtriMUR6oyxW1kNSOSHE7fAlvWWbf4.aotAySCZATv7BB0pWPTmMRxXm5Ivg7GmswpKnJVdmnAg6FZoC7Fb1
Everything I write is lies, read between the lines.