Users could see other people’s details when they update their accounts. That’s not secure!

GameStop, a long-established chain in the US primarily known for video games, has allegedly leaked the personal details of several users, including their addresses and purchase history. Several users had said on social media that they saw other users’ data for a short time on Saturday when they updated their website.

“Every time I refresh the website, I can see someone else’s name, phone number, address, order history… it’s like a cycle of 4 or 5 people. This is very worrisome, can’t even change password because of this glitch,” wrote one Reddit user. “Oh God, I tried it, and it’s doing it for me too. Addresses, birthdays, emails, etc… this is bad. You can view the digital currency codes as it sends the verification code to your email. My friend could view a full credit card number by clicking on a card, but the site reloaded quickly after that,” wrote another user.

And on Twitter, a user wrote that he was able to see more user data as GameStop’s website was updated during Saturday’s events: “GameStop website was tripping out and kept hopping me between a couple of dozen different profiles. The name at the top of the screen kept changing, as the items in the cart and the Pro Rewards points. I thought I was being hacked, but the GS app seems stable” So this is not a one-off…

GameStop customer service responded to VGC. According to them, the addresses and names in users’ accounts were test data, not accurate user information. They corrected this problem on Saturday. However, a search indicates that some of the names and addresses users may have seen may have been real. The publication has not received an answer to it yet.

The only question we have is: how did GameStop mess up?

Source: VGC