‘Lollicupstore’ Exposed Customer Data Online via Unprotected Database

  • The largest bubble tea supplier in the U.S. has exposed millions of internal and client records online.
  • Some of the listings contained payment information, opening up the exploitation possibilities.
  • The tea supplier never responded to the notices and hasn’t acknowledged the incident publicly.

The ‘Lollicupstore,’ America’s largest “bubble tea” supplier, has exposed sensitive customer information by misconfiguring one of its databases and leaving it accessible online. Besides client data, the 112 million records in the database also include product information, sales records, and various internal information that shouldn’t have been published. The researcher responsible for the discovery and disclosure is Jeremiah Fowler, who immediately notified the owner on April 28, 2020. Lollicupstore failed to answer and was contacted again on May 3, 2020, and then one final time on June 3, 2020. No response was ever provided from the tea supplier, but the database was secured.

According to what J. Fowler managed to figure out during the time he had to analyze such a large volume of data (he didn’t download the database contents), the following information has been exposed:

  • 112,723,640 records
  • Client names
  • Client email addresses
  • Shipping details
  • Internal logs
  • System admin emails
  • Password tokens
  • IP addresses
  • Ports
  • Pathways

lollicupstore_database
Source: Security Discovery

What can be deduced from the above is that the misconfiguration has placed the company at risk of having deeper hacker infiltration events since all that an attacker could have asked for to dive into the firm’s network is there. The clients are running the risk of getting scammed or phished since crooks would have enough data to trick them through social engineering.

It is unknown if ‘Lollicupstore’ informed its clients of the security incident, but there’s more into it that should make the sending of a notice non-negotiable. The researcher says he located a “payment” file with over 835,000 records in it, and these details could be very revealing for the supplier’s clients. According to the Lollicupstore website, payments are processed via PayPal, so the leaked emails could be linked to PayPal accounts.

All that said, if you have done business with Lollicupstore in the past, be very careful with how you handle incoming communications. A classic way that malicious actors could try to exploit the leaked data would be to ask you to update your payment data for future bubble tea orders, and you shouldn’t fall for it. They will mention previous orders with details that only a Lollicupstore employee would know, in an attempt to convince you of the legitimacy of the communications and the main request.

REVIEW OVERVIEW

Recent Articles

What is Zero Trust Network Access (ZTNA) and Why Does it Matter?

Security is not something that's simply tacked on to an existing system. It's a fundamental aspect of that system's design. This is especially true...

How to Watch ‘CMA Best of Fest’ Live Online

We may not be able to attend concerts right now, but we can still enjoy some of our favorite music, especially when it comes...

5 Best VPN for Hong Kong in 2020 (Protect Yourself From The New National Security Law)

Without any doubt, Internet users in Hong Kong are in a very delicate situation right now. As you surely know, this previously independent territory...

How to Watch Quaker State 400 Online – Live Stream NASCAR Cup Series at Kentucky

We've got another NASCAR race on our hands, and the Quaker State 400 is just around the corner. We plan on watching the Quaker...

Seattle Police Booby-Trapped a File to Catch Ransomware Actor

An interesting method used by U.S. law enforcement authorities has been revealed. The FBI and the police use booby-trapped files that are...