Over half a year ago, the Cybernews research team discovered a sensitive data leak in which the data of six million shoppers was handed to threat actors on a silver platter.
Despite multiple attempts to contact the company, the leaking database still hasn’t been secured.
Therefore, in addition to contacting the Brazilian CERT to help us secure the shoppers’ data, we’ve decided to post our findings to help customers stay vigilant ahead of the seasonal shopping madness that’s about to kick off.
On February 28th, 2025, Cybernews researchers discovered that VTEX, a global e-commerce platform, accidentally uploaded a massive chunk of its users’ data to the open internet.
According to its website, it powers 3,500 online stores and is used by major brands such as Samsung, Nestle, Mazda, Coca-Cola, Walmart, and Sony.
The data leak originated from an unauthenticated container. This is a common misconfiguration caused by human error that leaves the cloud storage environment without a password. It makes private data potentially visible to search engines and accessible to anyone online.
The open storage contained files in Parquet format, a columnar data storage format used to organize and store large datasets that often are part of the company’s analytics or customer data pipeline.
The leaked files exposed private data records of over six million customers using VTEX-provided e-commerce solutions. The exposed dataset leaked information about consumer behavior, listing individual purchase histories, delivery addresses, and contact details.
The scale of the data leak is threatening. VTEX is a global e-commerce solution provider founded in Brazil with clients across 38 countries. The company is behind thousands of online stores, and any data leaks could potentially have a global impact.
Cybernews researchers warn that attackers could exploit the leaked data to craft convincing phishing attacks, mimicking trusted retailers.
If the client who recently purchased anything on a VTEX-powered e-commerce site gets SMS or email claiming “order confirmation” or “delivery issue,” they are much more likely to fall for the scam and hand out their card or login details.
People’s order histories reveal routines, health or lifestyle choices, and point to high-value targets for fraud. Even worse, the dataset includes home addresses and phone numbers, which could lead to doxxing attacks, stalking, or harassment.
The Cybernews newsroom has also contacted VTEX for additional comments. However, similar to our researchers’ attempts to draw the company’s attention to the matter, our journalists’ emails still remain unanswered.
Shoppers are advised to think twice before clicking on any links in emails, especially from unknown sources or social media ad campaigns. If the source seems familiar, always carefully check the sender’s email address, as threat actors might be impersonating well-known brands.
Too-good-to-be-true kinds of deals are likely actually to be too good to be true. It is important to always double-check on the official brands’ sites or communication channels for information instead of following the sketchy links through.While communicating with vendors, always stay on the vendor platform. Ignore unsolicited texts claiming to be from vendors, and never share payment details or sensitive credentials via email.
Also, it is advisable to use virtual credit cards to protect your real card information. Using such disposable cards limits exposure to fraud for a single purchase and guards against breaches on retail sites.
You are also likely to get bombarded with messages and emails saying there’s something wrong with your parcel or that you need to pay a small fee before delivery and pickup.
First, calm down and remember whether you ordered anything at all. Even if you did, the urgency of such texts is a clear sign of a potential scam, so it’s better that you contact the seller and the shipping company directly.
Leave a Comment