top of page

LightInTheBox Leaks Over 1TB of Customer Data

LightInTheBox Leaks Over 1TB of Customer Data

A Chinese online retailer with a huge North American fanbase has leaked more than 1 terabyte of customer data.

The major breach in the security of LightInTheBox was discovered by researchers at vpnmentor on November 20.

Researchers were able to gain access to a massive database containing 1.3 terabytes of daily logs dating from August 9, 2019, to October 11, 2019, totaling over 1.5 billion records.

The substantial leak compromised the security of LightInTheBox customers across the globe. Researchers were also able to access data from the vendor's subsidiary sites, including

"Our team was able to access this database because it was completely unsecured and unencrypted," wrote researchers.

Vpnmentor notified the vendor of the breach on November 24. Although no reply was received, the database breach was closed shortly after LightInTheBox was made aware of its existence.

LightInTheBox, which was founded in 2007, sells clothing, accessories, gadgets, and various items for the home and garden. Most of the 12 million monthly visitors to the retailer's website are based in North America and Europe.

The company does not provide specific details about their data security and storage practices and has not publicized any measures they may take to protect their customers’ data.

Vpnmentor researchers wrote: "The data breach affected customers around the world, with entries from many of their international sites, and in numerous languages."

Private personal data exposed in the leak included users' IP addresses, countries of residence, email addresses, and the destination pages and online activity of users on the vendor's website.

"This data breach represents a major lapse in LightInTheBox’s data security. While this data leak doesn’t expose critical user data, some basic security measures were not taken," wrote researchers.

Researchers warned that a leak of this nature could put customers at risk from crimes far more disturbing than online fraud.

"With a website user’s IP address, we were able to identify their city of residence. If a criminal hacker had access to this, along with the other data exposed, they could trick a victim into revealing their home address, and target them for theft and home robbery," wrote researchers. Source: Information Security Magazine


bottom of page