Reportedly, Carter’s failure to implement proper authentication protocols on the store’s parcel tracking pages exposed data and shoppers to scams.
VpnMentor analysts report that the US-based baby clothing retailer Carter’s exposed personally identifiable information (PII) of hundreds of thousands of its customers because of inadequate security of Linc, the automatic online purchases software the company uses.
The Linc system delivered shortened URLs with Carter’s purchases and shipping data without any appropriate security protections. By modifying the Linc generated URLs, it became possible to access backend JSON data revealing even more customer details, which the confirmation pages didn’t expose, like full names, phone numbers, and delivery addresses of Carter’s customers.
In total, the exposed data included the following:
Full name
Email addresses
Billing addresses
City
State
Zip
Country code
Country
Phone number
Purchasing details
Shipping tracking IDs and links
Over 410,000 Records Exposed
It is reported that more than 410,000 records have been exposed in Carter’s data leak, including hundreds of thousands of customer records dating back to 2015.
VpnMentor noted that the shortened URLs are not only easy to discover by hackers since there is a “lack of sufficient entropy or compensating security protocols.”
Carter’s didn’t put authentication in place to verify that the person making the purchase has visited the confirmation page. Researchers also noted that the links don’t expire. This means customers purchased from Carter’s online store even years ago will also be at risk.