An unsecured database was found by cybersecurity researchers that reveals a scam in which Amazon consumers submit fake reviews in return for free items from Amazon vendors.
The unencrypted ElasticSearch server was discovered by cybersecurity specialists with an antivirus review site, the Safety Detectives. According to Safety Detectives, over 13 million or 7 GB of information were stored in the server.
The researchers noted, “The server contained a treasure trove of direct messages between Amazon vendors and customers… potentially implicating more than 200,000 people in unethical activities.”
“While it is unclear who owns the database, the breach demonstrates the inner workings of a prevalent issue affecting the online retail industry.”
Vendors on Amazon submit lists of items they want a five-star rating to reviewers. The reviewers then purchase the products and give them a five-star rating on Amazon.
Afterward, the reviewer replies to the vendor with their Amazon profile link and PayPal account details. The reviewer gets refunded and given the reviewed product as payment, as well as an additional cash bonus in some cases.
The researchers said, “The refund for any purchased goods is actioned through PayPal and not directly through Amazon’s platform. This makes the five-star review look legitimate, so as not to arouse suspicion from Amazon moderators.”
Vendors’ email addresses, as well as Telegram and WhatsApp contact details, were included in the database.
Also, there are more than 75,000 links to accounts on Amazon accounts, email addresses of PayPal accounts, and other email addresses. Even fan names suspected to be usernames but may include names and surnames were among the messages connected to reviewers.
Vendors were also given email addresses to reach reviewers, including 232,664 Google email addresses, but this number contains duplicates. The researchers believe that between 200,000 and 250,000 users were affected in total, including Amazon vendors whose contact information was hacked.
The server was located in China but the leak seems to have largely impacted Europe and the US, though the data may likely extend to every country worldwide. The owner of the server is unidentified, so it is expected that once they are found, they will face consumer privacy laws.
Besides, the vendors who pay for false reviews risk being sanctioned by Amazon for violating its terms of service. Depending on their location and whether or not law enforcement or authorities are involved in prosecuting product reviewers, reviewers can also receive a fine.