Hipshipper, an international shipping platform used by sellers on eBay, Shopify and Amazon, accidentally exposed 14.3 million shipping labels with personal customer information. Researchers at Cybernews found the exposed data in December 2024, but it wasn’t fixed until January 2025. Hipshipper helps people ship packages to over 150 countries, offering tracking, free insurance and easy returns. The unprotected AWS bucket exposed shipping labels are important because they detail what’s inside the packages and where they’re supposed to go.
Cybernews researchers added: “Cybercriminals can exploit leaked data to orchestrate advanced scams and phishing attacks. For example, crooks may impersonate trusted businesses and distribute fraudulent messages that leverage specific order details to demand urgent verification of personal or financial information.” Sophisticated attackers could employ the details to impersonate businesses and lure sensitive information from customers. With shipping labels at hand, attackers could reference specific orders, adding credibility to otherwise fraudulent demands.
The leaked data included full names, home addresses, phone numbers and order details (dates of mailing, parcel information, etc.).
Read more about it here.