Scrubs & Beyond Leaks 400GB of PII and Card Data
Take action: Ignoring people when they tell you that you have an exposed data on the internet is bad. Sometimes 400GB and 100,000 users bad.
Learn More
Scrubs & Beyond has a severe data leak, and altthough notified multiple times, the company has failed to respond or secure the server. The incident involves data exposure of personally identifiable information and sensitive financial data of the company's customers.
The leaking server, which contains a vast amount of personal information including full names, email addresses, mobile numbers, physical addresses, and internal credentials, is accessible to the public and can be downloaded by individuals knowledgeable in tools like Shodan, an open-source intelligence tool commonly that identifies visible services or databases on the internet.
The exposure of the database was discovered on May 25, 2023, after it was initially exposed on May 16, 2023. The server currently holds over 100,000 customer records, totaling 400 GB in size, with both the database size and the number of customers growing each day as new information is added.
Security researchers inform that the exposed data includes plaintext credit card details such as card numbers, CVV codes, and expiration dates, as well as PayPal payment logs, purchase logs, and order information. This places affected customers at an elevated risk of financial fraud, identity theft, and other malicious activities.
The probabiliy of the data being exfiltrated by malicious actors is a near certainty as it lacks any form of security authentication or password protection. Anyone with internet access can potentially access and exploit this sensitive information.
What is particularly alarming is that researchers contacted Scrubs & Beyond about the issue multiple times but did not receive any response from the company.
The lack of response from Scrubs & Beyond and the ongoing availability of the server increases the likelihood of data misuse and abuse by third parties with malicious intent. Hackers will exploit the data for identity theft-related fraud or hold the company's server or data for ransom, potentially leaking it on cybercrime forums if their demands are not met.
At present, Scrubs & Beyond has not released an official statement addressing the breach or providing guidance for affected customers.
