‘Lollicupstore’ Exposed Customer Data Online via Unprotected Database

• The largest bubble tea supplier in the U.S. has exposed millions of internal and client records online.
• Some of the listings contained payment information, opening up the exploitation possibilities.
• The tea supplier never responded to the notices and hasn’t acknowledged the incident publicly.

The ‘Lollicupstore,’ America’s largest “bubble tea” supplier, has exposed sensitive customer information by misconfiguring one of its databases and leaving it accessible online. Besides client data, the 112 million records in the database also include product information, sales records, and various internal information that shouldn’t have been published. The researcher responsible for the discovery and disclosure is Jeremiah Fowler, who immediately notified the owner on April 28, 2020. Lollicupstore failed to answer and was contacted again on May 3, 2020, and then one final time on June 3, 2020. No response was ever provided from the tea supplier, but the database was secured.

According to what J. Fowler managed to figure out during the time he had to analyze such a large volume of data (he didn’t download the database contents), the following information has been exposed:

• 112,723,640 records
• Client names
• Client email addresses
• Shipping details
• Internal logs
• System admin emails
• Password tokens
• IP addresses
• Ports
• Pathways

What can be deduced from the above is that the misconfiguration has placed the company at risk of having deeper hacker infiltration events since all that an attacker could have asked for to dive into the firm’s network is there. The clients are running the risk of getting scammed or phished since crooks would have enough data to trick them through social engineering.

It is unknown if ‘Lollicupstore’ informed its clients of the security incident, but there’s more into it that should make the sending of a notice non-negotiable. The researcher says he located a “payment” file with over 835,000 records in it, and these details could be very revealing for the supplier’s clients. According to the Lollicupstore website, payments are processed via PayPal, so the leaked emails could be linked to PayPal accounts.

All that said, if you have done business with Lollicupstore in the past, be very careful with how you handle incoming communications. A classic way that malicious actors could try to exploit the leaked data would be to ask you to update your payment data for future bubble tea orders, and you shouldn’t fall for it. They will mention previous orders with details that only a Lollicupstore employee would know, in an attempt to convince you of the legitimacy of the communications and the main request.