A Hipshipper data leak stemming from a misconfigured cloud database has exposed the shipping records of more than 14 million customers.
Hipshipper is a third-party international shipping service contracted by Amazon, Shopify, and eBay sellers to deliver goods across 150 countries. It offers package tracking, free insurance, and easy returns, thus enhancing the online shopping experience.
Cybernews researchers discovered the Hipshipper data leak on December 2, 2024, at the height of the holiday shopping season, and reported it a week later on December 9. However, the shipping company only fixed the security faux pas on January 8, 2025, nearly a month after it was reported.
Online customers at risk after Hipshipper data leak exposed shipping records
Cybernews security researchers said the data leak exposed shipping labels and customs declaration forms, which contain various personal details, including full names, home addresses, phone numbers, and order details.
Malicious actors could leverage the information to carry out phishing attacks and lure victims into disclosing more significant information, such as credit card numbers.
The data leak could also result in financial losses through advance fee or custom clearance scams that are very common in online shopping.
“Armed with leaked information about recent purchases or interactions, they enhance their plausibility and manipulate individuals into revealing sensitive data. Victims are more likely to comply, believing they are addressing an urgent and legitimate issue,” the Cybernews security team stated.
Attackers could also trick victims into clicking suspicious links, resulting in malware infection. Similarly, leaked physical addresses could expose victims to physical harm as criminals could leverage that information to plan burglaries.
Cybernews explained that Hipshipper left the 14.3 million shipping records exposed on an AWS bucket without a password, allowing anybody with an internet connection and a web browser to access them.
However, no evidence suggests that malicious actors accessed the shipping records or misused the exposed personal information for nefarious purposes. Cybernews has also confirmed that the security flaw was successfully fixed and the shipping records are no longer accessible to the public.
Meanwhile, the media outlet advised organizations to implement various security mitigations to prevent similar data breaches. They include changing access controls to prevent public access to AWS buckets, monitoring access logs to detect unauthorized access, and enabling server-side data encryption.
They also recommended using AWS Key Management Service (KMS) to securely manage encryption keys, implementing SSL/TLS for data in transit, and generally observing security best practices such as performing regular audits, automated security, and employee training.
Shipping companies affected by cyber attacks
Cyber attacks on shipping companies pose serious supply chain risks by disrupting the delivery of critical goods.
While the Hipshipper data leak was limited to the shipping records and did not result in a cyber attack, the failure of shipping companies to secure their systems could allow attackers to gain access to online platforms and pivot to other operationally critical systems.
Besides Hipshipper, other shipping companies have suffered data leaks and cyber attacks, exposing customers’ shipping records to illegal access by malicious actors.
In 2021, French maritime, shipping, and logistics giant CMA CGM suffered a data leak that exposed customers’ personal information including names, email addresses, and phone numbers, almost a year after it suffered a Lagnar Locker ransomware attack.
In July 2018, China Ocean Shipping Company (COSCO), a top-five global shipping company, suffered a ransomware attack that affected its North American operations.
In 2017, Danish logistics company Maersk also suffered the worst shipping cyber attack involving NotPetya ransomware that cost the company approximately $300 million in addition to reputational damage.
