LightInTheBox Exposed Global Customer Logs and Personal Data

• LightInTheBox has exposed sensitive customer information by leaving an unprotected database online.
• The database remained accessible for an unknown period of time, and no notices have reached the users yet.
• The exposure concerns IP and email addresses, as well as the visitors' website activity.

As reported by cybersecurity researchers Noam Rotem and Ran Locar, the Chinese online retailer “LightInTheBox” has exposed 1 terabyte of daily customer logs and personal data. The leak occurred through the usual way, which is by leaving a database accessible online without setting up a password, so anyone can find it via the available specialized search engines. The discovery took place on November 20, 2019, the vendors were identified and contacted four days later, and they took immediate action by taking down the leaking database. However, the impact of the incident and the period during which the database remained accessible is unknown.

LightInTheBox is an online retailer that is based in Beijing, China, and sells apparel, accessories, beauty products, electronics, jewelry, baby products, gadgets, and decorative goods. Their online shop is very popular (Alexa rank of 3.4k) as it sells inexpensive products and sends them anywhere in the world without charging for the shipping. It is estimated that every month, approximately 12 million people are visiting LightInTheBox, looking for products and often placing an order. That said, the exposure of one terabyte of data that concerns client logs and other personal information affects a large number of individuals.

As the researchers inform us, the data that was exposed includes the user’s IP addresses, their country of residence, their email addresses, and logs that concern their activity on the website. This activity obviously reveals the person’s interests, which can potentially concern sensitive data exposure. Even if it’s not, scammers, extortionists, and phishing actors could use this information to send emails to the exposed individual and trick the recipient into giving them money. That said, the fact that LightInTheBox hasn’t circulated breach notifications to the exposed clients yet is making the situation even worse.

Source: VPN Mentor Blog

As the holiday season approaches, the average consumer should be extra careful with what websites they trust and with how they respond to unsolicited emails that come from unknown sources. Pay close attention to the URLs to avoid landing on phishing pages, and carefully look into the email address of the messages that end up in your inbox. If you have bought something from LightInTheBox during the past few months, be extra careful from now on. Also, next time, you may want to buy your goods from a vendor who takes your data protection more seriously.

Have you bought anything from LightInTheBox recently? Did you receive any phishing messages lately? Share your experience with us in the comments down below, or on our socials, on Facebook and Twitter.