Top online gift platform leaks user details, including thousands of US military members

Image Credit: Shutterstock (Image credit: Shutterstock)

300,000 emails from EnamelPin, owner of gs-jj.com, exposed online
Many originate from .gov or .mil sources, which are used by military or government workers
The leak exposed the sites links to China

Researchers at Cybernews recently discovered over 300,000 emails from EnamelPin customers were exposed for months thanks to an open Elasticsearch instance.

EnamelPin Inc is the owner of popular gift site gs-jj.com, which sells medals, lapel pins, emblems, and more.

The leaked emails contained personal information such as full names and email addresses, around 2,500 were from .gov and .mil domains. The site is unsurprisingly popular amongst US government officials and military officers, who had ordered products such as coins, patches, and medals.

National Security Concerns

“The emails and attachments exposed sensitive information about high-ranking military officials. They could be used to determine their position in certain Army units, phone numbers, email addresses, and shipping addresses,” Cybernews researchers said.

Other security issues were discovered on the site, such as the exposure of hidden git repository configuration, folder, and file structure of the website.

The data was left exposed for months, according to researchers. The information was publicly accessible from April 22 until December 5, which left many customers at risk, particularly of identity theft.

Whilst EnamelPin Inc is registered in California and aimed at civilians, the leak exposed previous unknown links to China. Researchers found a publicly accessible Git configuration file which revealed the website’s source code repository is hosted on a Chinese server.

The company also has an ‘complete expert team in China’, long delivery times suggest overseas fulfilment, and the customer support team communicate in broken English.

“Due to the Chinese government’s broad powers to access data, it may be risky for US Government and Military officials to use Chinese services, especially in the official settings," Cybernews added.

“This leak raises OPSEC concerns, as ordering patches, emblems, and other items can inadvertently expose ranks, divisions, and personal information.”

Take a look at our pick of the best antivirus software around
These are the most damaging scams around, according to Google — so be on your guard
Check out our choices for best malware removal software

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.