‘Lollicupstore’ Exposed Customer Data Online via Unprotected Database

  • The largest bubble tea supplier in the U.S. has exposed millions of internal and client records online.
  • Some of the listings contained payment information, opening up the exploitation possibilities.
  • The tea supplier never responded to the notices and hasn’t acknowledged the incident publicly.

The ‘Lollicupstore,’ America’s largest “bubble tea” supplier, has exposed sensitive customer information by misconfiguring one of its databases and leaving it accessible online. Besides client data, the 112 million records in the database also include product information, sales records, and various internal information that shouldn’t have been published. The researcher responsible for the discovery and disclosure is Jeremiah Fowler, who immediately notified the owner on April 28, 2020. Lollicupstore failed to answer and was contacted again on May 3, 2020, and then one final time on June 3, 2020. No response was ever provided from the tea supplier, but the database was secured.

According to what J. Fowler managed to figure out during the time he had to analyze such a large volume of data (he didn’t download the database contents), the following information has been exposed:

  • 112,723,640 records
  • Client names
  • Client email addresses
  • Shipping details
  • Internal logs
  • System admin emails
  • Password tokens
  • IP addresses
  • Ports
  • Pathways

Source: Security Discovery

What can be deduced from the above is that the misconfiguration has placed the company at risk of having deeper hacker infiltration events since all that an attacker could have asked for to dive into the firm’s network is there. The clients are running the risk of getting scammed or phished since crooks would have enough data to trick them through social engineering.

It is unknown if ‘Lollicupstore’ informed its clients of the security incident, but there’s more into it that should make the sending of a notice non-negotiable. The researcher says he located a “payment” file with over 835,000 records in it, and these details could be very revealing for the supplier’s clients. According to the Lollicupstore website, payments are processed via PayPal, so the leaked emails could be linked to PayPal accounts.

All that said, if you have done business with Lollicupstore in the past, be very careful with how you handle incoming communications. A classic way that malicious actors could try to exploit the leaked data would be to ask you to update your payment data for future bubble tea orders, and you shouldn’t fall for it. They will mention previous orders with details that only a Lollicupstore employee would know, in an attempt to convince you of the legitimacy of the communications and the main request.

How to Watch Junior Bake Off 2023 (Season 8) Online from Anywhere
Get ready to watch juniors show off their baking skills! Junior Bake Off 2023 (Season 8) is all set to be aired!...
How to Watch How I Met Your Father Season 2 Online from Anywhere
How I Met Your Father Season 2 is set to hit the screens pretty soon. We have the premiere date, plot, cast,...
How to Watch Better Date Than Never Online: Stream the Dating Docuseries from Anywhere
Are you a docuseries lover? If so, we have a piece of exciting news! Better Date Than Never, a new six-episode series,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari