News

‘Unique Experiences’ Company Exposes 174000 Customers

Written by Bill Toulas
Last updated September 17, 2021

Security researcher Jeremiah Fowler has discovered a new unsecured Elastic database that contained 212220 detailed records, corresponding to 174000 clients of a “unique experiences” company called Amazingco. The company is engaged in Australia, New Zealand, and the USA, offering services such as kid parties, wine and brewery tours, mystery picnic dates, and many more. The discovery was made on May 11th with the company being notified immediately. Failing to receive a response, the researcher followed up with a second notice two days later, which resulted in the company taking the database offline, but there has been no official statement on the matter yet.

For anyone who entered the database, seeing the folder named “Customers” left no doubts about what the contents of the entries concerned. The records included client names, email and home addresses, phone numbers, and even special notes about the booked events. Many of the records also contained the feedback that clients gave on their experiences, the entertainers, or the tour guides. This type of data could be especially helpful for phishing actors. Finally, the unprotected database includes IP addresses, ports, pathways, and storage info that attackers could potentially leverage in order to help them take over or infiltrate deeper into Amazingco’s network.

database screenshot

image source: securitydiscovery.com/

Now, since the company hasn’t published an official statement, and hasn’t responded to the request for comment that the researcher submitted on May 24, there is no information about how long the database has remained accessible to anyone, or how many people could have accessed it so far. The researcher estimates that the insecure period was at least a week, which is more than enough for the “hawk-eye” crooks who search for unprotected online databases all day to locate it.

Since Amazingco is based in Melbourne, Australia, they are subject to the customer data privacy protection laws that apply in the Down Under. According to a key part of the relevant regulations, data breaches must be made known to the users who have been affected as well as the authorities of the country if the company responsible has an annual turnover of more than $3 million. Amazingco is proudly claiming 35000 experiences and over one million organizers and attendees to have enjoyed their services, so they seem to fit the context of the law.

Do you think that governments should take a more obliging approach to this type of incidents, not allowing companies to keep breaches or merely risks of PII leaks to keep them a secret? Let us know what you think in the comments down below, and also on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: