The discovery came after Z2U exposed a cloud database containing 600,000 customers’ records.
Recently, vpnMentor’s cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database that contained over 600,000 customer records. The database was owned by Z2U, a China-based platform.
The data was analysed by Fowler who noticed images of individuals holding their credit cards, passports, or other government-issued identification documents. It indicates a typical case of a company exposing the KYC data of its customers.
In addition to personal information, it contained records of bank transaction payments, user logins, emails and passwords, software license keys, customer support history, and refunds requested due to frozen accounts.
Z2U claims to be a platform that creates a reliable trade environment between gamers. However, the documents seen by Fowler indicate that the company sells everything from aged Facebook and Instagram accounts to access to HBO, Netflix, and Disney+. Even more concerning is that Fowler confirmed seeing documents that reveal Z2U allegedly offers viruses, malware, and other malicious applications through its platform.
While Z2U claims not to sell stolen, hacked, or cracked accounts, it is unclear how the verification process is performed other than buyers requesting refunds when the account is no longer working or suspended.
According to vpnMentor’s report, the database contained records from users worldwide, and access was closed a week after Fowler sent the notice translated into Chinese.
The risks of the data being publicly exposed are significant. The images of individuals holding their identity documents and credit cards with their faces clearly visible were required by Z2U’s verification process and should have never been publicly exposed. This information puts users at significant risk of identity theft and fraudulent charges.
In addition to personally identifiable information and payment information, the images show that a wide range of other accounts or access to paid services were sold on Z2U’s platform, bypassing the validation processes put in place to prevent malicious or fraudulent activity on other social media platforms.
Many refund requests were marked “Seller Refused to Provide Refund.” Buyers who purchase accounts from secondary or potentially illicit marketplaces run the risk of not having their money returned or actually getting access to the account or goods they thought they were purchasing.
Fowler suspects that the records were attachments to and from customer support. He also saw video files where users filmed their screens to show login issues or payment problems. Z2U claims to have over one million positive reviews and even offers an affiliate program, but many mixed reviews exist, both positive and negative, on independent review websites and Reddit.
The database was hosted on a server based in China, and many of the documents and file names were in Chinese. Many of the account login email addresses for sale used Russian email accounts with the.ru domain extension. It is well-known that Russian cybercriminals are actively engaged in identity theft, online scams, and other malicious activities.
In conclusion, the discovery of the Z2U database raises many ethical and security concerns. While the company claims not to sell stolen, hacked, or cracked accounts, the verification process remains unclear, and the refund requests for frozen accounts suggest otherwise. The images of individuals holding their identification documents and credit cards expose them to significant risks of identity theft and fraudulent charges.