A security researcher said he discovered millions of Chinese citizen identity numbers spilling online after an e-commerce store left its database exposed to the internet.
Viktor Markopoulos, a security researcher working for CloudDefense.ai, said he found the database belonging to Zhefengle, a China-based e-commerce store for importing goods from overseas.
The database contained more than 3.3 million orders spanning 2015 through 2020, Markopoulos said, but had not been protected with a password.
The order database contained corresponding customer shipping addresses and phone numbers, as well as the customer’s government-issued resident identity card number. Many of the orders also include uploaded copies of the customer’s identity card, TechCrunch has seen.
Customers who import goods to China must have their identity verified, and it’s not uncommon for stores to ask for customers to upload a copy of their identity card.
It’s not known how long the database was exposed. Anyone who knew the IP address of the database could access the data inside using only their web browser.
TechCrunch contacted the owners of the online store with details about the exposed database. A short time later, the database became inaccessible. In reply, the store owners responded: “The vulnerability has been addressed promptly. We are currently investigating the cause internally.”
TechCrunch’s Rita Liao contributed reporting.