Many online stores expose private backups in public folders, including internal account passwords, which can be exploited to take over e-commerce sites and extort owners.

According to a study by a website security company Sansecaround 12% of online stores forget their backups in public folders due to human error or negligence.

The study looked at 2,037 stores of varying sizes and found that 250 (12.3%) exposed ZIP, SQL, and TAR archives on freely accessible public web folders without requiring authentication.

The archives appear to be backups containing database passwords, secret admin URLs, internal API keys, and customer PII (personally identifiable information).

In the same report, Sansec explains that its analysts are seeing constant activity from attackers running automated scans trying to identify these backups and make breaches.

“Online criminals actively seek out these backups because they contain passwords and other sensitive information,” reads the Sansec report.

“Exposed secrets were used to take over stores, extort merchants and intercept customer payments.”

Threat actors try various possible staging name combinations on target sites based on the site name and public DNS data, such as “/db/staging-SITENAME.zip”.

Since these probes are inexpensive to run and do not affect the performance of the target store, hackers can run them for weeks on end until they find a backup.

Sansec reports seeing multiple source IP addresses for these attacks, so threat actors are well aware of the existence of exposed backups, and many are trying to take advantage of them.

If exposed backups contain administrator details, master database passwords, or employee accounts, attackers can use them to gain access to the site and steal data or perform destructive attacks.

Check your sites!

Sansec urges website owners to regularly check their sites for accidentally exposed data and backups.

If you exposed a website backup publicly, immediately reset administrator accounts and database passwords, and enable 2FA on all staff accounts.

Additionally, check the web server logs to see if the backup was downloaded by a third party and check the administrator account activity logs for signs of external access and malicious behavior.

Sansec suggests that website administrators configure the web server to restrict access to archive files if they are not needed in day-to-day operations to prevent data leaks.

Additionally, those using the Adobe Commerce platform must use the “immutable storage” feature.