Scrubs & Beyond Leaks 400GB of User PII and Card Data in Plain Text

Scrubs & Beyond were alerted multiple times about the data leak, but the company did not respond or secure the server.

Currently, the server holds over 100,000 customer records, totalling 400 GB in size, while the database size and the number of customers are growing each day with new information.

Scrubs & Beyond, a popular online retailer specializing in healthcare uniforms and accessories, has suffered a severe data exposure incident, revealing its customers’ personally identifiable information and sensitive financial data public.

The leaked server, which contains a wealth of personal information, including full names, email addresses, mobile numbers, physical addresses, and even internal credentials, is publicly accessible and can be downloaded by anyone with knowledge of how to use tools like Shodan—an open-source intelligence (OSINT) tool often referred to as a search engine for the Internet of Things (IoT).

The database was exposed on May 16, 2023. Researchers identified the exposure on May 25, 2023, and since then, the information has remained exposed. Currently, the server holds over 100,000 customer records, totalling 400 GB in size. The database size and the number of customers are growing each day with new information.

According to Anurag Sen of CloudDefense, a security researcher who identified the server, the exposed data also includes plaintext credit card details, such as card numbers, CVV codes, and expiration dates, along with PayPal payment logs, purchase logs, and order information. This puts affected customers at an increased risk of financial fraud, identity theft, and other malicious activities.

As seen on Hackread.com, the full list of the exposed data includes the following:

  • Full name
  • Email address
  • Phone number
  • Physical full address
  • Internal credentials
  • Paypal payment logs
  • Purchase logs and orders
  • Full payment card details with CVV and expiration details in plaintext.

This breach is particularly alarming because the entire dataset has been exposed without any form of security authentication or password protection. This means that anyone with internet access can potentially access and exploit this sensitive information, posing a significant threat to affected customers’ privacy and financial security.

The trove of data that is being exposed (Screenshots provided to Hackread.com by Sen)

What’s worse, Sen alerted Scrubs & Beyond about the issue on multiple occasions but received no response from the company. This lack of response raises serious questions about the company’s handling of the situation and its commitment to promptly addressing security issues.

Customers who have purchased or interacted with Scrubs & Beyond should be on high alert for any suspicious activities related to their personal and financial information. Affected individuals should monitor their financial accounts regularly, change passwords associated with their Scrubs & Beyond accounts, and consider taking additional security measures such as credit monitoring or fraud alerts.

This incident serves as a stark reminder of the importance of robust data security measures and prompt responses to potential vulnerabilities. Companies entrusted with customer data must prioritize the protection of personal information and take immediate action to rectify any security flaws to safeguard their customers’ privacy.

Impact

Since the server is live and there has been no response from the company, the chances of misuse and abuse of data are high if it gets into the hands of a third party with malicious intent.

While the data can be exploited to carry out identity theft-related fraud, hackers can hold the company’s server or data for ransom and leak it on cybercrime forums if their demands are not met.

Scrubs & Beyond is yet to release an official statement addressing the breach or providing guidance for affected customers.

  1. Video Marketing Software Animker Leaked User Data
  2. Indian Truck Brokerage Company Leaked 140GB of Data
  3. Indian Ticketing Platform RailYatri Hacked – Data Leaked
  4. QR code generator site leaks users’ login data & addresses
  5. Leaked Amazon Prime Video Server Exposed Viewing Habits
Total
0
Shares
Related Posts