At team at AV reviews site SafetyDetectives found the China-based Elasticsearch server exposed online without any password protection or encryption.
The 7GB trove contained over 13 million records including the email addresses and WhatsApp/Telegram phone numbers of vendor contacts, plus email addresses, surnames, PayPal account details and Amazon account profiles of reviewers.
According to SafetyDetectives, fake review scams typically begin with vendors sending their reviewer contacts a list of products for which they would like a five-star review.
After leaving the review and sending the vendor a link, the reviewer will be paid via PayPal to compensate them for the product purchase and will be allowed to keep the product itself as payment. The reviews site claimed that the leak implicated around 200,000 individuals in such schemes.
The SafetyDetectives team discovered the database on March 1 and it was secured around a week later, although the researchers weren’t able to track down its owner.
“Given the extent of the records and vendors included in the database, it’s possible that the server is not owned by the Amazon vendors running the scam. The server could be owned by a third party that reaches out to potential reviewers on behalf of the vendors,” it explained.
“Third parties might post a picture of the product in a Facebook or WeChat group, asking for reviews in return for free products. The server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors. What’s clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon’s terms of service.”
There’s also a potential data security and identity fraud risk for those whose information was exposed in the privacy snafu, SafetyDetectives warned.