Quote:Baby clothes retailer Carter’s inadvertently exposed the personal data of hundreds of thousands of its customers, dating back years, according to a new disclosure.
The issue started with Linc, which is a vendor the company used to automate purchases online, according to analysts with vpnMentor who first discovered the issue. The Linc system was delivering customers shortened URLs with Carter’s purchase and shipping details without basic security protections. The links contained everything from purchase details to tracking information and more.
“Furthermore, by modifying the Linc URLs (to which the shortened URLs were redirecting), it was possible to access backend JSON data, which revealed even more personal information about customers that wasn’t exposed by the confirmation pages, such as: Full names delivery addresses and phone numbers,” the report explained.
The analysts calculated that more than 410,000 records, and hundreds of thousands of customer records, were exposed in the leak — which they estimated dates as far back as 2015.
“Those shortened URLs were easily discoverable to hackers due to a lack of sufficient entropy or compensating security protocols,” the vpnMentor analysts wrote. “Carter’s also put no authentication in place to verify that only the person who’d made the purchase could visit the confirmation page.”
Compounding the risk, the researchers found that the links never expired, meaning customers who might have purchased from Carter’s years ago were still potentially in danger.
Read more: Baby Clothes Giant Carter’s Leaks 410K Customer Records | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
