AI Coding Tools Lead to Leak of 345,000 Credit Card Records on Dark Web

Severity: High (Score: 64.5)

Sources: Firstpost, Newsbytesapp

Summary

A dark web marketplace named 'Jerry's Store' leaked over 345,000 credit card records due to poor security practices stemming from reliance on AI coding tools. Researchers from Cybernews discovered an unsecured server linked to the marketplace, which sold stolen payment card information and provided verification tools for buyers. The breach was attributed to the operators' use of Cursor, an AI-powered coding assistant, which generated insecure code due to vague instructions. The exposed data included approximately 145,000 valid credit card records with sensitive details such as card numbers, expiry dates, and CVV codes. The incident highlights the risks associated with 'vibe coding', where users provide plain English descriptions for AI to generate code. The server was found open to the internet without any authentication barriers, allowing unauthorized access to sensitive information. The leak occurred after a request for a statistics dashboard was made to the AI, which was then deployed without proper security checks. Key Points: • Over 345,000 credit card records were leaked from Jerry's Store due to AI coding errors. • The breach was caused by unsecured code generated by the AI tool Cursor, following vague instructions. • The exposed data included 145,000 valid credit card records with sensitive personal information.

Key Entities

• Data Breach (attack_type)
• Axis Bank (company)
• City Union Bank (company)
• Icici Bank (company)
• IndusInd Bank (company)
• Jerry's Store (company)
• India (country)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-287 - Improper Authentication (cwe)
• Financial (industry)
• CountryMax (platform)
• Elf Cosmetics (platform)
• Lyft (platform)
• Sam’s Club (platform)