A database hosed on Amazon Web Services holding eight million retail sales records from the European Union was left exposed compromising customer personal and financial information.

The open MongoDB database had no password or other authentication set. It was operated by a third-party vendor who pulled sales data from a range of retailers, including Amazon UK, Ebay, Shopify, PayPal and Stripe in order to calculate value-added taxes for different countries. The information left unprotected included customer names, email addresses, shipping addresses, purchases and the last four digits of credit card numbers.

The database was discovered by Comparitech’s security research team led by Bob Diachenko on February 3, 2020 at which time he notified Amazon and the other retailers. On February 8 the owner of the database was found and informed and immediately shut it down.

Although eight million records were exposed, Comparitech does not know how many individuals were involved as some people could have made multiple purchases that were aggregated on the database.

Amazon told Comparitech the email addresses and credit card details were not exposed from Amazon, as it is not collected.

Even though full payment card details were not revealed the treasure trove of data is still incredibly useful for cybercriminals. One of the primary uses for this data would be for phishing scams. The information lost would make it easy for a criminal to create a very convincing email to try and draw out login credentials or payment information from their retail accounts, Diachenko said.