TZUTC: -0500   
   MSGID: 568.consprcy@1:2320/105 2c42bff6   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Top collectibles site leaks personal data of nearly a million users   
      
   Date:   
   Thu, 20 Mar 2025 17:04:00 +0000   
      
   Description:   
   Cybernews found a non-password-protected database containing Collectibles.com   
   user names, addresses, and more.   
      
   FULL STORY   
   ======================================================================   
    - Cybernews found an Elasticsearch instance with 870,000 unique records   
    - They were generated by Collectibles.com, a major collectible cards   
   marketplace   
    - The database was locked ten days later   
      
   Collectibles.com, a major collectible cards marketplace, has been leaking   
   sensitive information on hundreds of thousands of users, exposing them to    
   risk of identity theft, wire fraud, phishing, and more, experts have claimed.    
      
   This is according to the research team from Cybernews , who recently   
   discovered, and reported, a non-password-protected Elasticsearch instance.    
      
   The team found a 300GB cluster of valuable user data, counting more than   
   870,000 records, each representing a different person, noting how, The   
   exposure of user details and transaction histories poses a significant   
   security risk, potentially enabling identity theft, targeted fraud, and   
   account takeovers."   
      
   Working around security solutions    
      
   Formerly known as Cardbase, Collectibles.com, is an online marketplace and   
   management platform for collectors, allowing users to track, buy, and sell   
   various collectibles, including trading cards, comics, and memorabilia. In a   
   2024 press release, the company claimed to have roughly 300,000 users.    
      
   The data Collectibles.com was leaking includes peoples full names, their    
   email addresses, profile picture links, other user account details,   
   collectible card sales, and transactional data.    
      
    Cybernews reached out to the company to report their findings, but besides    
   an automated response, the company did not acknowledge the data leak, they   
   said.    
      
   The instance was closed ten days later, although we dont know for how long it   
   remained open before being discovered. We also dont know if any malicious   
   actors discovered it before Cybernews , and possibly even used the data in   
   phishing.    
      
   Exposed databases remain one of the key causes of data leaks. Many   
   organizations hoard sensitive customer data in a cloud database, some of    
   which dont understand that with cloud, security is a shared responsibility.    
      
   Security researchers and cybercriminals alike can use tools like Shodan or   
   Elasticsearch to find these databases and use the information found there to   
   run all kinds of scams.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/top-collectibles-site-leaks-personal-da   
   ta-of-nearly-a-million-users   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426