Despite Fowler’s efforts to responsibly disclose the issue, he received no response from the company.
The exposed database contained a staggering 2,808,697 records, amounting to a massive 1 Terabyte in size.
On May 29th, 2023, security researcher Jeremiah Fowler made a concerning discovery: a non-password-protected database belonging to the e-commerce company SimpleTire, which could be accessed by anyone with an internet connection.
Despite Fowler’s efforts to responsibly disclose the issue, he received no response from the company. Shockingly, the database remained accessible for over three weeks after its initial discovery, raising serious concerns about the company’s data security practices.
It is worth noting that Fowler is the same cybersecurity researcher who recently reported on how SuperVPN, a free VPN service, leaked a whopping 360 million user records on the internet.
SimpleTire, founded in 2010, offers customers a convenient online platform for purchasing tires, aiming to streamline the tire buying process with a wide range of options at competitive prices. However, like many online businesses, it fell victim to a significant data breach.
According to a report shared by Flower with Hackread.com, the exposed database contained a staggering 2,808,697 records, amounting to a massive 1 Terabyte in size. Among the compromised records were 1,189,151 order confirmation documents in PDF format, which included highly sensitive personally identifiable information (PII) such as customers’ names, phone numbers, physical addresses, and partial credit card numbers with expiration dates.
- Phone number
- Customer’s name
- Physical address
- Partial credit card number and expiration dates
Furthermore, the breach encompassed references to installers’ information, return requests, wholesale data, and sales and promotion images, indicating a comprehensive collection of valuable and confidential data.
The exact duration of the database’s exposure remains unknown, as does whether any malicious actors accessed it during that time. In light of this breach, SimpleTire customers are strongly advised not to disclose their credit card details over the phone to anyone claiming to be an employee of the company.
Worryingly, even without resorting to social engineering tactics, potential threat actors who gained access to the compromised database could cross-reference the leaked credit card details with the vast troves of stolen credit card information available online. This raises concerns about the possibility of financial fraud and unauthorized transactions.
Fowler highlighted previous high-profile card breaches, including those of The Home Depot, Neiman Marcus, and Target, where millions of credit card numbers and personal details were compromised. He also mentioned the alarming release of over 2.1 million stolen credit card details by the dark web carding marketplace, BidenCash, earlier this year.
This data breach at SimpleTire serves as a stark reminder of the critical importance for businesses to prioritize robust security measures, safeguard customer data, and promptly respond to security vulnerabilities.