DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Swing and a miss? Topps apps database leaked fans’ info

Posted on June 24, 2016 by Dissent

When security researcher Chris Vickery was unable to get sports trading card giant Topps to respond to his notification that a database was exposing mobile apps fans’ information, DataBreaches.net stepped up to the plate.  

The exposed database was not the first time MacKeeper security researcher Chris Vickery had seen Topps mobile app fan data leaking. In early December, Vickery reports, he stumbled upon three separate, publically accessible databases containing what, on quick inspection, appeared to be hundreds of thousands of user account details for Bunt, Huddle, and Kick fans. A few days later, and without any intervention from Vickery, the databases were secured. Vickery never found out whether those were Topps’ databases or some contractor’s databases, but because they were secured, he reasonably just turned his attention to other databases that were currently exposed.

Several weeks ago, however, Vickery discovered another exposed and publically accessible database. This database, hosted on Amazon, contained all three apps’  fans’ data. As with so many other exposed databases, Vickery noted that it was a MongoDB installation that was open on port 27017.

Vickery sent e-mails to three Topps support e-mail addresses for the apps, attempting to notify them, but other than an autoresponder, he got no response.  

“I have reason to believe the Topps phone apps team may have some data security issues to address, and I can’t get a response out of Topps,” Vickery reported. Because the data were still live, he did not reveal the amount or types of personal data being exposed, but DataBreaches.net was aware that the data likely included at least hundreds of thousands of fans’ profiles with their usernames and date of birth, as well as additional details of their trades and activity.

And there the situation stayed until the DataBreaches.net got involved. When attempts to notify Topps through their public relations firm failed to produce a response, this reporter submitted a copy of the e-mail through the contact form on Topps’ web site. That, too, failed to produce a response, so DataBreaches.net called Topps’ corporate headquarters in New York. When the first voicemail produced no results, this reporter called again, and spoke with an internal helpdesk employee who helpfully passed the message to the digital team.

In less than 30 minutes, Jeremy Strauser, Vice President and General Manager of Digital Apps, called. I gave him the IP address and told him about Vickery’s attempts to notify them previously.

Less than one hour later, the server was secured. Vickery subsequently informed DataBreaches.net that Strauser called him following his conversation with me. He had investigated what had happened and explained that Vickery’s e-mail notifications had gone to spam as an employee had thought Vickery was trying to sell them something.

In a phone call with DataBreaches.net later yesterday, Strauser thanked this site for notifying Topps and explained that the server was controlled by one of their contractors. The contractor, he said, had run some script that seemed to reset or restore an older database that should no longer have been available. The data in the database were from 2013 and earlier and did not appear to contain current data.

Topps is still investigating the incident to determine the scope of the exposure and whether the data had been accessed or downloaded by unknown parties before they make any decisions about any additional steps or notifications that might be needed.

Thumbs up to Jeremy Strauser for his prompt response and for taking the time to contact Chris Vickery to explain why they hadn’t responded to Chris’s attempts to notify them.

As for this blogger, well, now I’m feeling nostalgic for the days when we held trading cards in our hands, flipped them, scaled them, and yes, even traded them. 

Related posts:

  • Topps’ payment card breach was just its latest data security incident
  • TeamGhostShell posts “master list” of 548 leaks (so far)
  • 191 million voters’ personal info exposed by misconfigured database (UPDATE2)
  • Did a Christian right-wing organization expose private details of millions of people?
Category: Business SectorExposureSubcontractorU.S.

Post navigation

← Former ProMedica therapist convicted of illegally obtaining patient data
MM: Eleven Media Group hacked; Union of Hacktivists charged →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.