Not all of the personal and financial information that ends up online is the result of a data breach carried out by hackers. Instead, there are also data leaks where sensitive info is exposed as a result of negligence when a database is left unsecured without a password.
As discovered by the security team at LEAKD, 5 million U.S. credit card details and other sensitive data was found in an AWS S3 bucket that could have been accessed by anyone online. Just like with the best cloud storage, an S3 bucket is a virtual file folder stored in the cloud that’s often used by businesses to store customer data.
While we currently don’t know who was behind this leak, from the screenshots seen by LEAKD, it appears to have come from a phishing operation. Normally, this stolen data would be for hackers only but by forgetting to protect it with a password, anyone with the necessary know-how could have accessed this information.
Here’s everything you need to know about this major data leak along with the steps you should take to secure your digital life if you believe that your credit card details and other personal data might have been compromised.
No, you didn’t just win an iPhone
One of the easiest ways that hackers trick potential victims into giving up their personal data and financial details of their own accord is through fake giveaways and other too-good-to-be-true offers. While most people would recognize these as a scam almost immediately, others might click on them out of curiosity which is certainly something I wouldn’t recommend.
This time around, a free iPhone or heavily discounted holiday gifts were the lure and given that the S3 bucket in question had 5TB worth of screenshots, a lot more people than you’d think fell for this scam.
By getting potential victims to fill out an online form, the cybercriminals behind this scam managed to collect their full names, billing addresses, email addresses, phone numbers and credit card details. All without any hacking whatsoever or deploying malware onto their phones or computers.
Besides using this info to commit fraud or even identity theft, it could very well end up for sale on the dark web for other hackers to use in their attacks. As LEAKD points out in its report on the matter, the average U.S. credit card and the details associated with it usually sells for around $17 online. Given that this data leak contains an estimated 5 million unique U.S. credit and debit cards, this treasure trove of personal and financial information could be worth more than $85 million when all is said and done.
How to stay safe after a data leak
If you or someone you know — think teenagers or older relatives with poor cyber hygiene — might have fallen for one of these scam giveaways, then you need to take action immediately.
For starters, you should actively monitor your credit card and other financial statements for signs of fraud and other suspicious activity. If you find something, you’re going to want to notify your bank as soon as possible so that they can put a freeze on any affected cards. Likewise, if you want to be proactive, you can set up fraud alerts with your bank or credit card provider.
From here, you’re going to want to change the passwords for any affected accounts and enable multi-factor authentication if you haven’t already. You can also implement a credit freeze so that no one else can take out loans or open new accounts in your name.
Investing in one of the best identity theft protection services is always a good idea, especially if you have teenagers or others in your household who aren’t security savvy. These services can help you recover your identity after a crisis as well as get back any funds lost to fraud.
You’re also going to want to be on the lookout for targeted phishing attacks trying to coax even more valuable information out of you. With your full name, phone number, physical address and email address, these could arrive in your inbox, mailbox or even as a text message or phone call. As such, you’re going to want to be very cautious when dealing with unsolicited messages both in the real world and online.
To see if your personal and financial info was really exposed, you can use a data leak checker. HaveIBeenPwned is one of the most popular ones but Cybernews has one too as do many cybersecurity companies. You just enter your email address and then these services will let you know if it and your other credentials have shown up online where they shouldn’t.
Free iPhone scams and steep discount offers around the holidays are nothing new but if you haven’t yet, it’s worth educating yourself as well as your family on the best ways to spot an online scam before it’s too late.
More from Tom's Guide
- Hackers are posing as job recruiters to spread a dangerous banking trojan and steal your money
- Millions stolen from LastPass users in massive hack attack — what you need to know
- Half a million medical patients just had their addresses, dates of birth, SSNs and more stolen by hackers
