Online eyewear stores exposes the data of 186K customers

Security researcher Jeremiah Fowler uncovered the database in October 2019, to which the sale records referenced VoogueMe.com and Zeelool.com. 

Fowler explained that upon further research, it appears that the company is based in either mainland China or Hong Kong. 

VoogueMe describes itself as a leading provider of stylish prescription eyeglasses and sunglasses, according to their website. 

The database had been set to open and thus publicly visible for anyone to view, edit, download or even allow them to delete data without administrative credentials. 

The database itself contained 186,000 sales records that include “emails, IP, and other customer data”, as well as 40.4 million visitor IP addresses. In addition, ports, pathways and storage information was also discovered in the database – all of which could be exploited by cybercriminals to access deeper into the network. 

“The real danger in an exposure like this is that it would make it easy to conduct a targeted phishing campaign. Cybercriminals would have the names, emails, billing amount, product type, and enough to potentially trick unsuspecting customers,” Fowler explained.

Additionally, cybercriminals could also target VoogueMe and Zeelool customers, therefore customers should be cautious with any suspicious emails referencing their previous orders. 

Fowler sent out multiple emails and left numerous voice messages from October 23, 2019 to January 13, 2020, which were all ignored.  

“There were no other contact options of how to responsibly disclose my discovery and secure the exposed data except using the same email or phone numbers that customers would use. In several months was never able to reach a real person or get a reply from support. Even if VoogueMe / Zeelool is  based in China, that is no excuse to not properly secure customer data and not respond to my months long campaign of disclosure notices