Baby clothing giant Carter’s exposed trove of shoppers data

Baby clothing giant Carter’s exposed trove of shoppers data

Reportedly, Carter’s failure to implement proper authentication protocols on the store’s parcel tracking pages exposed data and shoppers to scams.


VpnMentor analysts report that the US-based baby clothing retailer Carter’s exposed personally identifiable information (PII) of hundreds of thousands of its customers because of inadequate security of Linc, the automatic online purchases software the company uses.


The Linc system delivered shortened URLs with Carter’s purchases and shipping data without any appropriate security protections. By modifying the Linc generated URLs, it became possible to access backend JSON data revealing even more customer details, which the confirmation pages didn’t expose, like full names, phone numbers, and delivery addresses of Carter’s customers.


In total, the exposed data included the following:


Full name
Email addresses
Billing addresses
City
State
Zip
Country code
Country
Phone number
Purchasing details
Shipping tracking IDs and links

Over 410,000 Records Exposed


It is reported that more than 410,000 records have been exposed in Carter’s data leak, including hundreds of thousands of customer records dating back to 2015.

VpnMentor noted that the shortened URLs are not only easy to discover by hackers since there is a “lack of sufficient entropy or compensating security protocols.”





Data exposed by the company (Image credit: VPNmentor



Carter’s didn’t put authentication in place to verify that the person making the purchase has visited the confirmation page. Researchers also noted that the links don’t expire. This means customers purchased from Carter’s online store even years ago will also be at risk.


Customers exposed t ..

Support the originator by clicking the read the rest link below.