Month: February 2025

Hipshipper, an international shipping platform used by sellers on eBay, Shopify and Amazon, accidentally exposed 14.3 million shipping labels with personal customer information. Researchers at Cybernews found the exposed data in December 2024, but it wasn’t fixed until January 2025. Hipshipper helps people ship packages to over 150 countries, offering tracking, free insurance and easy returns. The unprotected AWS bucket exposed shipping labels are important because they detail what’s inside the packages and where they’re supposed to go.

Cybernews researchers added: “Cybercriminals can exploit leaked data to orchestrate advanced scams and phishing attacks. For example, crooks may impersonate trusted businesses and distribute fraudulent messages that leverage specific order details to demand urgent verification of personal or financial information.” Sophisticated attackers could employ the details to impersonate businesses and lure sensitive information from customers. With shipping labels at hand, attackers could reference specific orders, adding credibility to otherwise fraudulent demands.

The leaked data included full names, home addresses, phone numbers and order details (dates of mailing, parcel information, etc.).

Read more about it here.

Online food ordering and delivery platform GrubHub suffered a data breach that exposed the personal information of drivers, merchants and customers.

“We recently detected unusual activity within our environment traced to a third-party service provider for our Support Team” the company said on Monday, February 3, 2025.

“We immediately terminated the account’s access and removed the service provider from our systems altogether.”

The following data was accessed, varying by individual: Names, email addresses and phone numbers, as well as partial payment card information for a subset of campus diners (card type and last four digits of the card number).

The threat actor also accessed hashed passwords for certain legacy systems, and the company rotated any passwords that was believed might have been at risk.

GrubHub has not disclosed whether it was targeted by a ransomware attack, and as of this writing, no known ransomware group has claimed responsibility.

Grubhub is a popular food-ordering and delivery platform with more than 375,000 merchants and 200,000 delivery providers using its platform in more than 4,000 US cities.

Read more about it here.

DeepSeek, the Chinese AI startup known for its DeepSeek-R1 LLM model, has publicly exposed two databases containing sensitive user and operational information.

Wiz Research discovered a publicly accessible ClickHouse database belonging to DeepSeek, containing over 1 million log entries, and exposing chat history, secret keys, and backend details.

“Within minutes, we found a publicly accessible ClickHouse database linked to DeepSeek, completely open and unauthenticated, exposing sensitive data. It was hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000.” reads the report published by Wiz.

“This database contained a significant volume of chat history, backend data and sensitive information, including log streams, API Secrets, and operational details.” continues the report.

This exposure could have allowed full database control and potential privilege escalation within the DeepSeek environment, without any authentication.

After responsible disclosure, DeepSeek promptly secured the issue.

Read more about it here.