Top collectibles site leaks personal data of nearly a million users

News
By published

Experts find non-password-protected Collectibles.com database

Data leak
(Image credit: Shutterstock)
  • Cybernews found an Elasticsearch instance with 870,000 unique records
  • They were generated by Collectibles.com, a major collectible cards marketplace
  • The database was locked ten days later

Collectibles.com, a major collectible cards marketplace, has been leaking sensitive information on hundreds of thousands of users, exposing them to risk of identity theft, wire fraud, phishing, and more, experts have claimed.

This is according to the research team from Cybernews, who recently discovered, and reported, a non-password-protected Elasticsearch instance.

The team found a 300GB cluster of valuable user data, counting more than 870,000 records, each representing a different person, noting how, “The exposure of user details and transaction histories poses a significant security risk, potentially enabling identity theft, targeted fraud, and account takeovers."

Working around security solutions

Formerly known as Cardbase, Collectibles.com, is an online marketplace and management platform for collectors, allowing users to track, buy, and sell various collectibles, including trading cards, comics, and memorabilia. In a 2024 press release, the company claimed to have roughly 300,000 users.

The data Collectibles.com was leaking includes people’s full names, their email addresses, profile picture links, other user account details, collectible card sales, and transactional data.

Cybernews reached out to the company to report their findings, “but besides an automated response, the company did not acknowledge the data leak,” they said.

The instance was closed ten days later, although we don’t know for how long it remained open before being discovered. We also don’t know if any malicious actors discovered it before Cybernews, and possibly even used the data in phishing.

Exposed databases remain one of the key causes of data leaks. Many organizations hoard sensitive customer data in a cloud database, some of which don’t understand that with cloud, security is a shared responsibility.

Security researchers and cybercriminals alike can use tools like Shodan or Elasticsearch to find these databases and use the information found there to run all kinds of scams.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
A top online gift card store may have exposed private data on hundreds of thousands of users
Cartoon Phishing
One of the largest data leaks ever sees info on 1.5 billion people leaked online
A man looking at a tablet with a brown Best Buy package on the desk in front of him
Huge Christmas data breach - 14 million shipping records leaked, putting shoppers at risk
Data leak
Popular online bill paying site leaks data of thousands of users
healthcare
Over a million clinical records exposed in data breach
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
Latest in Security
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Data leak
Top collectibles site leaks personal data of nearly a million users
Spyware
Stalkerware data breach potentially hits over 2 million users, including thousands of Apple devices
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
WordPress on a laptop
Over 20,000 WordPress sites hit by damaging malware campaign
Latest in News
Hornet swings their weapon in mid air
Hollow Knight: Silksong could potentially launch this year and I reckon it could be a great game for an Xbox handheld
Acer Chromebook Plus line
Chromebooks aren't dead! Acer has just launched 7 new ChromeOS laptops aimed at students and professionals
Apple Watch foldable display patent
Forget the folding iPhone – Apple has patented a foldable Apple Watch with two screens
Matt Murdock looking angry in Daredevil: Born Again season 1 episode 2
Daredevil: Born Again season 2 first look images have already spoiled how the Marvel TV show's first season will end on Disney+
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 21 (game #1152)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Friday, March 21 (game #383)
More about security
Spyware

Stalkerware data breach potentially hits over 2 million users, including thousands of Apple devices
Lock on Laptop Screen

Data breach at Pennsylvania education union potentially exposes 500,000 victims
NVIDIA

Nvidia's new Game Ready Driver repeats an annoying black screen issue from previous versions - it needs fixing ASAP
See more latest
Most Popular
NVIDIA
Nvidia's new Game Ready Driver repeats an annoying black screen issue from previous versions - it needs fixing ASAP
Hornet swings their weapon in mid air
Hollow Knight: Silksong could potentially launch this year and I reckon it could be a great game for an Xbox handheld
Acer Chromebook Plus line
Chromebooks aren't dead! Acer has just launched 7 new ChromeOS laptops aimed at students and professionals
AMD Ryzen 9950X3D chip next to its packaging on a pink table
Asus' AI Cache Boost promises to "pump up" your AMD Ryzen 9000 processor's AI performance
Apple Watch foldable display patent
Forget the folding iPhone – Apple has patented a foldable Apple Watch with two screens
Matt Murdock looking angry in Daredevil: Born Again season 1 episode 2
Daredevil: Born Again season 2 first look images have already spoiled how the Marvel TV show's first season will end on Disney+
Spyware
Stalkerware data breach potentially hits over 2 million users, including thousands of Apple devices
Miele Guard L1 Comfort XL cyclinder vacuum
I've been patiently waiting for the newest vacuum tech to make its way into cylinder vacuums, and Miele has finally delivered
The ASSC Assassin's Creed collection.
The Assassin's Creed x Anti Social Social Club drop includes gaming merch that I wouldn't be embarrassed to wear
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 21 (game #1152)