High-profile hacks always seem to hit the news, or so it seems. Equifax was previously one of the biggest, affecting nearly 150 million people. However, 328 million hits, and the hackers who attacked Marriott Hotels reservation systems managed to get into the data of around 500 million people, one of the biggest data breaches in history.
The publicity around these kinds of breaches is terrifying enough for those who care about who’s accessing their personal data online. However, it’s even more disconcerting to think that our data could be compromised on major websites, and we aren’t even hearing about it. Unfortunately, the scenarios described here illustrate that this is exactly what’s happening.
Hidden Trackers Expose Vulnerabilities
Attribution software is part of a website’s marketing infrastructure. It helps marketing teams understand the path that customers take before they become a customer. It tracks a user’s activities across multiple channels including social media, advertising platforms, and email campaigns.
Branch.io provides a mobile traffic attribution service used by many big-name websites including Pinterest, Tinder, Yelp, and Airbnb, to name a few. A team of security researchers was researching client-side security when they came across a vulnerability in Tinder’s security in 2018.
After some further research, they found that the vulnerable endpoint was not owned by Tinder but by Branch.io. The attribution software had set up a hidden subdomain (go.tinder.com) which had a cross-site scripting flaw. This vulnerability means that hackers can easily insert malicious links. If a user clicks on one of these links while logged into their Tinder account, then hackers could easily get access to the users’ profiles and data.
Although Branch.io quickly released a patch for the vulnerability, Tinder was not the only service affected – potentially all Branch.io clients using that software were affected. This means that the data of up to 685 million users were at risk from the vulnerability.
Ensuring Account Security
Although Branch.io have fixed the issue, there is no way of knowing if hackers exploited this vulnerability or if they did, the extent of the damage. Anyone who uses these services is advised to take precautionary measures. Change the password to secure the account and remain vigilant for any suspicious account activity.
Security hacks and Issues such as this underline the need for good password housekeeping. This involves changing passwords regularly and critically, not using the same passwords across multiple accounts.
How Chinese Companies Access Amazon Customer Data
Amazon has been luring vendors from China since 2015 and sales from the region almost doubled within that first year. Setting us as a seller on Amazon is incredibly easy using the company’s “Fulfilled by Amazon” (FBA) program.
A seller can order wholesale goods online for delivery directly to an Amazon warehouse, which then ships the product to customers.
Amazon then pays the seller. Many sellers opt to use a payment gateway service which in China, usually means a domestic payment provider. This is where the confidentiality of Amazon customer data started to fall apart.
To connect a payment gateway service to an Amazon Marketplace account, there is an API key called the Marketplace Web Token. This key allows the payment gateway to receive the seller’s payments. However, various discussions between sellers on Amazon’s Seller Central forums, indicate that some domestic Chinese payment providers have been demanding sellers hand over their “secret key.
” Unlike the API, this provides full access to their seller accounts – including data of all customers who’ve ordered with the seller. This includes names, addresses, purchase history, and credit card information.
Like the Branch.io case described above, it’s difficult to quantify how many people may have been affected by the Amazon issue. However, in 2018, 58.7 million US households had an Amazon Prime subscription, Reaching 200 million households in 2022.
The average Prime member spends $1400 each year on Amazon on an average of two orders per week.