Security researchers uncovered information relating to thousands of credit cards and other sensitive and personal data online in a bizarre security mishap. The data was allegedly left exposed by Vietnam's luxury hotel chain Silverland Hotel in Ho ChinMonh City. The researchers found that the hotel operated an open database which hosted sensitive customer information including names, travel details, login credentials, IP addresses and more.
According to security researchers with the MacKeeper Security Research Center, the hotel's open database, which was first discovered on 12 August, was "publically available and required no password access". Moreover, the exposed database was found to be hosted on the same IP address used by the hotel's website.
The security researchers said in a blog: "Imagine you have saved and planned for your perfect holiday trip to Vietnam's capital, you booked your luxury hotel and of course you wouldn't expect your card details and personal info available online. Along with the payment information, database contained also login details, IP and special requests of the guests. The total number of entries reached 6,377 items (ie credit cards details)."
"[I was] absolutely surprised and shocked," Volodymyr Dyachenko, a member of the MacKeeper Security Research Team, told Motherboard. "Sometimes we do encounter [databases] with payment info, but at least they have it hashed or encrypted."
The over 6,000 entries in the publicly available database comprised of complete credit card details, including card type, number, expiration date, CVV and name on card. Reports speculated that hackers who may have got their hands on the leaked information from the database, would have hit the jackpot, accessing the data trove which would not even require any actual cyber-skills. Hackers could potentially have simply copy-pasted the credit card information and used it personally or put it up for sale on dark web marketplaces.
MacKeeper researchers said they notified the hotel immediately after they spotted the exposed data. However, according to Dyachenko, it took Silverland Hotel and additional 18 days after being notified to secure the database, by which time the database was exposed for a total of 62 days.
"The MacKeeper Security Research Center sent multiple emails, used the live chat feature on the website and even spoke with the assistant of the hotel owner using the private phone number found on the domain registry. The slow response left customers exposed as they continued to add additional credit card numbers to the database," the researchers said.
Silverland is yet to make any announcements or comment on the matter and it is still unclear as to how or why the database was left exposed to the public without any password protection. There is no evidence yet of any hackers having already found and misused the data.