A large-scale data exposure has compromised over 1.6 million customer records linked to major online marketplaces, including Etsy, TikTok Shop, and Poshmark.
Misconfigured Azure Blobs Leak Email Confirmations and Customer Data
On March 12, 2025, the Cybernews research team discovered two unprotected Azure Blob Storage containers exposing over 1.6 million files. The containers included HTML-format shipping confirmation emails containing:
- Full names
- Email addresses
- Home addresses
- Order details
Most of the data appears to belong to U.S.-based customers, though records from Canada and Australia were also identified. The majority of exposed entries are linked to Etsy, with additional records from TikTok Shop, Poshmark, and a seller named Embroly.
Researchers believe the source of the leak is a single Vietnam-based embroidery service that operates multiple storefronts across these platforms.
Threat Potential: Phishing, Impersonation, and Malware Delivery
The leaked shipping emails provide threat actors with detailed personal and transactional information that can be weaponized for:
- Phishing attacks impersonating Etsy or delivery companies
- Social engineering scams requesting payments or verification of fake orders
- Targeted malware campaigns using specific order references to increase legitimacy
“With access to personal information like full names and addresses, attackers could impersonate trusted shipping providers or Etsy itself,”
researchers noted.“The email confirmations, which contain personal and order information, could be used to deliver malware,” they added.
Attackers could craft convincing fake emails referencing actual order contents, making it more likely that victims would click malicious links or download harmful attachments.
Ownership of the Leak Remains Unclear
While the leak is tied to custom embroidery orders, researchers could not identify the exact owner of the misconfigured cloud instance. Processing records suggest the shops belong to one entity using multiple storefronts, primarily on Etsy.
The misconfiguration allowed open access to sensitive email confirmations without any form of authentication.
Security Recommendations from Researchers
To prevent similar data leaks, the Cybernews team recommends:
- Enforcing access controls for all cloud storage containers
- Reviewing access logs for any signs of unauthorized access
- Enabling server-side encryption for stored data
- Managing encryption keys securely via services like Azure Key Vault
- Securing data in transit using SSL/TLS protocols
- Conducting regular audits and staff security training
CERT was notified about the leak on March 28, 2025. No confirmation has been issued by the affected platforms as of now.
