Alister Cameron // Blogologist

Changing the world. One blog(ger) at a time.

Did I uncover your credit card details on the web today!?

Today I accidentally uncovered a huge list of people’s names, addresses and credit card details online. No kidding.

Credit Cards

I found more than that: login details to people’s web hosting accounts and e-commerce site memberships as well. It was really freaky to think it was all just staring at me, thanks to a flukey Google search. Nothing more complicated than that. (And no, don’t email me for the search details!)

For whatever reason, a hacker has broken into a number of sites and stored the resulting DB dumps into text files that Google came along and indexed, all because this guy’s site’s directories were set to display their contents when no default file is present.

I have emailed Victoria Police with all the details. But after thinking about it some more, I have a simple observation and a suggestion…

First the observation that if a hacker is dumb enough to have your private login or credit card details online and indexable by Google, then they’re likely to be in a text file and unencrypted. If your credit card is listed, it’s probably had the spaces removed, since that’s how it will be stored (by idiots who don’t use a salted hash).

Search Google for Your “Privates”

So here’s the suggestion: search Google for your credit card number. If something shows up go check it out. See if you also fluke a list of hacked card details with your own details there too. If you find nothing it doesn’t mean you haven’t been hacked… it just means you’re not listed online.

Now, if you have a strange and obscure password you always use (that is most likely your and yours alone), try searching for that too. Again, if it shows up in Google’s SERPs, check out the page and see what’s there.

I must say I was pretty freaked out to have discovered these credit card details online. I mean, you’d think a hacker would be smart enough to keep his stuff away from public web access and Google indexing, but perhaps not.

Crappy Coding of E-Commerce Sites

All this raises an issue that I have been long worried about… the coding and security standards of e-commerce sites out there.

How do you and I know that a given site is secure or not. Suuuuuuuure… it has HTTPS working right and the little key comes up on your browser when you get to the page asking for your credit card details. So what?!

The real worry is whether a hacker can get into the database and suck out all the customer and purchasing records. And if a programmer doesn’t know what a salted hash is (basic basic stuff), he should be shot. If a programmer doesn’t know how to code his querystrings so that SQL can’t be injected in, then he should also be shot.

This is why you SHOULD think about the e-commerce platform chosen by your chosen vendor of whatever it is you’re about to buy online. See, there are known weaknesses with various different shopping cart software platforms out there. And if someone builds one from scratch… well, you’d better hope they know what they’re doing.

If It’s Always The Same Password, One Hack Is Enough

If you’re like me, you use the same username everywhere. It’s a branding thing. I’m “alicam” (or “blogologist”) almost everywhere, unless I can’t get these, or unless I don’t want to be “me”.

If you’re NOT like me, you also use the same password everywhere. (I confess… I used to, until a few years ago when I woke up!)

Here’s the danger of using the same password everywhere: a hacker only needs to compromise any one single website to which you are subscribed as a member to get your username and password (assuming he can get past the hash or whatever obfuscation is in place). Once he’s got these, he can try these again all over the place, looking for what other sites and services you belong to. Along the way he can gather more and more information about you, in readiness for “becoming you”… called Identity Theft.

So don’t use the same password every time. Here’s a trick that may work for you: add part or all of the domain name into your password, along with the bit you usually use. So, if your password was always “fr3dd0”, make it fr3dd0-yahoo, fr3dd0-google, fr3dd0-wordpress, etc. Sure, a person could work out what you’re doing, but not a machine. And often enough the attacks are done by machine, with a person taking over once there is some success breaking in.

In my case, I had a password generator make up 16-character long unique strings (with alpha-numeric and special characters), which I use uniquely for each of the services I use. I’m not taking chances. (How I memorize them all is my secret!)

Important Tips for Your Online Security

So, to conclude, here are some simple tips to keep you safe online:

  • Buy online from large, reputable suppliers only.
    Ideally, choose vendors in the same “jurisdiction” as you, and vendors who also sell to you offline.
  • Don’t buy from ugly sites.
    If the site looks really ugly and clunky on the front end, it might be coded that way on the back end too. Just walk away!
  • Use Paypal where you can.
    It’s an eBay company and gives you a safety net for online transactions. They spend millions getting it right.
  • Update your passwords.
    You should use really good passwords, and unique ones, for your important online services like banks, hosting suppliers, government, etc. Don’t double up on them.
  • Buy from countries you trust.
    If sounds snobbish, but if you get in trouble with a vendor who doesn’t deliver, and he’s from a country that can’t protect you in law, you’re up the creek without a strudel.
  • Know about phishing.
    You think you know what it means, but are you up-to-date on the latest tricks and techniques? Some of them are darned convincing. So use filters and software to help you too.

This is a quick brain-dump of my suggestions. There are more, so leave a comment for the benefit of others if you have some goodies 🙂

Do The Right Thing!

Finally, do the right thing. If you find stuff that shouldn’t be there, tell the authorities. If you’re a Google Search Guru with all your advanced operator trickery, then it’s even more possible that you’ll come across stuff like I did… but I sure hope not.

credit card fraud, identity theft, credit card theft, online fraud, identity fraud, phishing, online scams, hacking, google hacks, google hacking, alister cameron, exploits, vulnerabilities, internet security


Note: Commenter website links are not no-followed, in case
you were wondering... I believe in rewarding commenters!

  1. Posted 10 years, 11 months ago // Permalink

    Hey thanks for an awesome article….

    I try and keep my passwords changing every nw and then and have a few that I use but this has worried me and I am starting to think I should have a different PW for every single site….

    I am sure 88% of us have our details stored somewhere by someone!!

    I am def going to see if my CC numbers are lurking, indexed, online.

  2. Posted 10 years, 9 months ago // Permalink

    it’s amazing…Google is sharing too much information…if Google stores the pages it has index on there computers….are they sharing the CC details too?

  3. Posted 10 years, 6 months ago // Permalink

    Woah woah woah. That's definitely not good. I give out so much info on the web. I need to begin to watch my back more often. Seriously. It's usually just signing up for companies, but I guess you never know about things these days.

    Thanks for the post.

  4. Posted 10 years, 6 months ago // Permalink

    Many ISP’s log web traffic, and you have absolutely no idea who has access to this data or for how long it is kept

  5. Posted 10 years ago // Permalink

    I have to say, I feel most credit cards are scams. Best not to go down that road as youll be paying more in the future.

  6. Posted 10 years ago // Permalink

    i just wanted to say…
    ur all acting like… pure ignorant people.


    if they wanted to crash your life, they would have done it a long time back.. they gather info like cc’s… SO WHAT? if they’re this “bad’ do u reely think they dont have it already? ppl like the cia already know ur cc.. doh…

    i dont know im just feeling ur all so ignorant. and hashes are used because they cant be reversed, so u hash a password, then when u get some input, hash that, check against stored hash. get it?
    also, hashes like MD5 most definitely can be cracked. dont act like ur such noobs… google crack md5 hash. some guy even made this database which had every single 0 to 20 length password with all the alphanumerics and calculated their md5s, and gave an input form online for ppl wishing to crack any. the database was about only 10TB big…

  7. Posted 9 years, 11 months ago // Permalink

    This really scares me…Do Google ever know about this? How could they not find a way to protect those information? Anyway, thanks for the advice!

  8. Posted 9 years, 9 months ago // Permalink

    The whole paranoia of information being leaked on the Internet is an interesting phenomena. Many people, without so much as a thought, use credit cards and personal information multiple times a day at a variety of brick and mortar places. From the largest chains down to the smallest hole in the wall the plastic and your information is thrown on the counter. Yet as soon as you’re on the Internet all of a sudden you’re a target?

    Information, identity and CC theft will happen both offline and online. Being paranoid won’t save you. Due diligence obviously will help but there’s always someone that will be one step ahead of you. Just be careful and relax. As mentioned, its likely thousands of people you’ve interacted with have all your information anyways.

    A simple CC number search in Google will not end your world. The government won’t be jumping with joy for the newly found information. The people who are intentionally stealing this information will be busy getting hundreds of numbers at a time and not waiting for you to key in some personal info in Google.

    Considering all the fears that were exposed in this post I wonder why so many are online?

  9. Posted 8 years, 8 months ago // Permalink

    Hi there, firstly, I want to let you know that I think it’s a excellent weblog you got here. However, I haven’t found out the way to include your website rss in my feed reader – where’s the link for the rss feed? Many thanks

  10. Posted 8 years, 4 months ago // Permalink

    That’s pretty shocking, although it’s not really Google’s fault. As long as there a crappy coded sites, the only way to avoid this is only ordering from big retailers and skipping the wannabe merchants on the web.

  11. Posted 8 years, 3 months ago // Permalink

    This is nuts!!! I can’t believe it. Although it happened a while ago, its still crazy that things weren’t more secure

7 Trackbacks/Pingbacks

  1. […] lives in Melbourne and describes himself as a passionate ”blogologist”. Cameron’s most popular post, about stumbling onto people’s unprotected credit card details during a Google search last year, […]

  2. […] lives in Melbourne and describes himself as a passionate ”blogologist”. Cameron’s most popular post, about stumbling onto people’s unprotected credit card details during a Google search last year, […]

  3. […] the reason why I do this was reinforce by a post by Alister Cameron last Saturday called “Did I uncover your credit card details on the web today!?” (now there’s a title to get anyone’s attention). Today I accidentally uncovered a huge […]

  4. […] lives in Melbourne and describes himself as a passionate ”blogologist”. Cameron’s most popular post, about stumbling onto people’s unprotected credit card details during a Google search last year, […]

  5. […] Did I uncover your credit card details on the web today!? SAVE […]

  6. […] Did I uncover your credit card info? This guy accidentally stumbled upon a database of stolen personal information and goes on to list some security measures. The password advice is really important. I’ve probably told this story before but it’s worth repeating.  A billion years ago I managed an online community (not and learned that the passwords people used to log into the message board are often the same they use for their e-mail, social groups, bank accounts, porn subscriptions, etc.  (I’m not sure what the legalities are about the way I learned this lesson so I’ll skip the details but suffice it to say that I was morally justified because of some threats made in the forum.) Anyway, the point is, your password may be visible to a variety of people who work behind the curtain on the sites you log into so it’s a good idea to keep a few different ones. […]

Post a Comment

Your email is never published nor shared. Required fields are marked *

  • My Posts in Your In-box!

    Enter your email address here for instant updates in your inbox, whenever I post something new.
    Your email address is in safe hands. Relax!
© Copyright 2007 Alister Cameron. All Rights Reserved Theme // Sitemap // RSS