Swing and a miss? Topps apps database leaked fans’ info

When security researcher Chris Vickery was unable to get sports trading card giant Topps to respond to his notification that a database was exposing mobile apps fans’ information, DataBreaches.net stepped up to the plate.  

The exposed database was not the first time MacKeeper security researcher Chris Vickery had seen Topps mobile app fan data leaking. In early December, Vickery reports, he stumbled upon three separate, publically accessible databases containing what, on quick inspection, appeared to be hundreds of thousands of user account details for Bunt, Huddle, and Kick fans. A few days later, and without any intervention from Vickery, the databases were secured. Vickery never found out whether those were Topps’ databases or some contractor’s databases, but because they were secured, he reasonably just turned his attention to other databases that were currently exposed.

Several weeks ago, however, Vickery discovered another exposed and publically accessible database. This database, hosted on Amazon, contained all three apps’  fans’ data. As with so many other exposed databases, Vickery noted that it was a MongoDB installation that was open on port 27017.

Vickery sent e-mails to three Topps support e-mail addresses for the apps, attempting to notify them, but other than an autoresponder, he got no response.  

“I have reason to believe the Topps phone apps team may have some data security issues to address, and I can’t get a response out of Topps,” Vickery reported. Because the data were still live, he did not reveal the amount or types of personal data being exposed, but DataBreaches.net was aware that the data likely included at least hundreds of thousands of fans’ profiles with their usernames and date of birth, as well as additional details of their trades and activity.

And there the situation stayed until the DataBreaches.net got involved. When attempts to notify Topps through their public relations firm failed to produce a response, this reporter submitted a copy of the e-mail through the contact form on Topps’ web site. That, too, failed to produce a response, so DataBreaches.net called Topps’ corporate headquarters in New York. When the first voicemail produced no results, this reporter called again, and spoke with an internal helpdesk employee who helpfully passed the message to the digital team.

In less than 30 minutes, Jeremy Strauser, Vice President and General Manager of Digital Apps, called. I gave him the IP address and told him about Vickery’s attempts to notify them previously.

Less than one hour later, the server was secured. Vickery subsequently informed DataBreaches.net that Strauser called him following his conversation with me. He had investigated what had happened and explained that Vickery’s e-mail notifications had gone to spam as an employee had thought Vickery was trying to sell them something.

In a phone call with DataBreaches.net later yesterday, Strauser thanked this site for notifying Topps and explained that the server was controlled by one of their contractors. The contractor, he said, had run some script that seemed to reset or restore an older database that should no longer have been available. The data in the database were from 2013 and earlier and did not appear to contain current data.

Topps is still investigating the incident to determine the scope of the exposure and whether the data had been accessed or downloaded by unknown parties before they make any decisions about any additional steps or notifications that might be needed.

Thumbs up to Jeremy Strauser for his prompt response and for taking the time to contact Chris Vickery to explain why they hadn’t responded to Chris’s attempts to notify them.

As for this blogger, well, now I’m feeling nostalgic for the days when we held trading cards in our hands, flipped them, scaled them, and yes, even traded them. 

About the author: Dissent