DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Swing and a miss? Topps apps database leaked fans’ info

Posted on June 24, 2016 by Dissent

When security researcher Chris Vickery was unable to get sports trading card giant Topps to respond to his notification that a database was exposing mobile apps fans’ information, DataBreaches.net stepped up to the plate.  

The exposed database was not the first time MacKeeper security researcher Chris Vickery had seen Topps mobile app fan data leaking. In early December, Vickery reports, he stumbled upon three separate, publically accessible databases containing what, on quick inspection, appeared to be hundreds of thousands of user account details for Bunt, Huddle, and Kick fans. A few days later, and without any intervention from Vickery, the databases were secured. Vickery never found out whether those were Topps’ databases or some contractor’s databases, but because they were secured, he reasonably just turned his attention to other databases that were currently exposed.

Several weeks ago, however, Vickery discovered another exposed and publically accessible database. This database, hosted on Amazon, contained all three apps’  fans’ data. As with so many other exposed databases, Vickery noted that it was a MongoDB installation that was open on port 27017.

Vickery sent e-mails to three Topps support e-mail addresses for the apps, attempting to notify them, but other than an autoresponder, he got no response.  

“I have reason to believe the Topps phone apps team may have some data security issues to address, and I can’t get a response out of Topps,” Vickery reported. Because the data were still live, he did not reveal the amount or types of personal data being exposed, but DataBreaches.net was aware that the data likely included at least hundreds of thousands of fans’ profiles with their usernames and date of birth, as well as additional details of their trades and activity.

And there the situation stayed until the DataBreaches.net got involved. When attempts to notify Topps through their public relations firm failed to produce a response, this reporter submitted a copy of the e-mail through the contact form on Topps’ web site. That, too, failed to produce a response, so DataBreaches.net called Topps’ corporate headquarters in New York. When the first voicemail produced no results, this reporter called again, and spoke with an internal helpdesk employee who helpfully passed the message to the digital team.

In less than 30 minutes, Jeremy Strauser, Vice President and General Manager of Digital Apps, called. I gave him the IP address and told him about Vickery’s attempts to notify them previously.

Less than one hour later, the server was secured. Vickery subsequently informed DataBreaches.net that Strauser called him following his conversation with me. He had investigated what had happened and explained that Vickery’s e-mail notifications had gone to spam as an employee had thought Vickery was trying to sell them something.

In a phone call with DataBreaches.net later yesterday, Strauser thanked this site for notifying Topps and explained that the server was controlled by one of their contractors. The contractor, he said, had run some script that seemed to reset or restore an older database that should no longer have been available. The data in the database were from 2013 and earlier and did not appear to contain current data.

Topps is still investigating the incident to determine the scope of the exposure and whether the data had been accessed or downloaded by unknown parties before they make any decisions about any additional steps or notifications that might be needed.

Thumbs up to Jeremy Strauser for his prompt response and for taking the time to contact Chris Vickery to explain why they hadn’t responded to Chris’s attempts to notify them.

As for this blogger, well, now I’m feeling nostalgic for the days when we held trading cards in our hands, flipped them, scaled them, and yes, even traded them. 

Category: Business SectorExposureSubcontractorU.S.

Post navigation

← Former ProMedica therapist convicted of illegally obtaining patient data
MM: Eleven Media Group hacked; Union of Hacktivists charged →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Major trial underway for data leak that left 72,000 victims in France
  • Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper
  • HealthEC Agrees to $5.48 Million Settlement to End Data Breach Lawsuit
  • US offering $10 million for info on Iranian hackers behind IOControl malware
  • Sompo Japan Insurance submits improvement plan after info leakage
  • Moreno Valley, Calif., Schools Report Data Breach
  • The Growing Cyber Risks from AI — and How Organizations Can Fight Back
  • Credit Control Corporation data allegedly from 9.1 million consumers listed for sale on forum
  • Copilot AI Bug Could Leak Sensitive Data via Email Prompts
  • FTC Provides Guidance on Updated Safeguards Rule

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Your household smart products must respect your privacy – including your air fryer
  • Vermont signs Kids Code into law, faces legal challenges
  • Data Categories and Surveillance Pricing: Ferguson’s Nuanced Approach to Privacy Innovation
  • Anne Wojcicki Wins Bidding for 23andMe
  • Would you — or wouldn’t you?
  • New York passes a bill to prevent AI-fueled disasters
  • Synthetic Data and the Illusion of Privacy: Legal Risks of Using De-Identified AI Training Sets

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.