A Chinese site that sells stolen accounts and personal information has been found to have exposed more than 600,000 records of stolen data and customer information.

Detailed Tuesday by security researcher Jerimiah Fowler at vpnMentor, the site is called Z2U and operates as a gaming market. The site pitches itself as a “trade environment between gamers and games,” but further investigation, including of the leaked data, found much more.

The exposed data, found on a non-password-protected database labeled as customer support attachments, contained everything from Facebook and Instagram accounts, access to HBO, Netflix and Disney+ accounts and Windows license keys at a fraction of the real price. Sellers were also found to be offering viruses and malware.

The database was found to be a treasure trove of stolen information, including images of credit cards, customers, passports and other identification documents. Records show bank transaction payments, including international bank account numbers, user logins, emails and passwords for accounts, user logins and passwords and software license keys.

The database also showed records of order confirmations, including the buyer’s name, email and date of purchase, the sales of access to streaming and social media accounts, and other related buying details. So not only did the database contain stolen information, but it also contained information about those who purchased illicit items from the site.

The exposed data, not only the stolen account credentials but of those using the site, would provide a wealth of potential uses to bad actors. Given the customer information side, it would come in handy to law enforcement as well.

Despite the site’s nefarious use, Fowler complied with responsible disclosure and informed the Z2U that the database was exposed. It was taken offline a week after Fowler first reached out. It’s unknown how long the database was exposed or who may have had access to it.

“When data breaches occur, they not only put the affected users at risk of identity theft and fraud but also damage the reputation and potential revenue loss of the organizations involved,” James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “Organizations must prioritize and implement robust database security measures to avoid the risk of sensitive information from their customers, clients, or patients being released or exposed to the public internet.”

Image: TheDigitalArtist/Pixabay