A database used to operate an Amazon fake reviews scam has leaked in a data breach, with the data trove revealing personal data for at least 200,000 people.
The reviews on Amazon have been plagued by fake reviews for quite some time, with fictional high-scoring testimonials propping up the score of products to make them look good on the online retailer’s pages. A data breach allegedly shows some of the workings behind one of the scams, as well as hinting at the scale of the problem.
The scam operates by Amazon vendors sending lists of products to reviewers that they wish to receive a five-star review for. The reviewers then buy the items and provide a five-star “review” for it on Amazon.
The reviewer then sends a message back to the vendor, containing a link to their Amazon profile and PayPal details. The reviewer then receives the refund, and gets to keep the product they “reviewed” as payment, as well as an extra cash reward in some cases.
Security researchers from SafetyDetectives uncovered an open ElasticSearch database linked to one such operation on March 1, 2021. More than 13 million records, the equivalent of 7 gigabytes of data, were hosted in the open, without any form of password protection or encryption.
The database included email addresses as well as WhatsApp and Telegram phone numbers for vendors taking part in the scam. Messages linked to reviewers had directly and indirectly identifiable personal data, including over 75,000 links to Amazon accounts and profiles, PayPal account email addresses, other email addresses, and “fan names” believed to be usernames, but could contain names and surnames.
Vendors were also provided email addresses of reviewers to contact, including 232,664 Gmail addresses, though that also includes duplicates. In total, including Amazon vendors compromised via contact details, it is estimated by the researchers that between 200,000 and 250,000 people were affected.
While the server was based in China, it seems the leak may have primarily affected Europe and the United States, though the details could easily apply to any country in the world. The owner of the server is unknown, but it is anticipated that if discovered, they could be subject to punishments from consumer protection laws.
Vendors paying for fake reviews may also face sanctions from Amazon itself for breaking its terms of service. Individuals reviewing products could face penalties, depending on their country of residence and whether law enforcement or regulators are interested in prosecution.
Fake reviews are a major problem for any digital storefront, and this includes Apple. In February, a wave of fake reviews prompted criticism of Apple for not doing enough to combat them, while in April, one app scam was found to be grossing over $1 million in revenue per month.
Stay on top of all Apple news right from your HomePod. Say, “Hey, Siri, play AppleInsider,” and you’ll get latest AppleInsider Podcast. Or ask your HomePod mini for “AppleInsider Daily” instead and you’ll hear a fast update direct from our news team. And, if you’re interested in Apple-centric home automation, say “Hey, Siri, play HomeKit Insider,” and you’ll be listening to our newest specialized podcast in moments.