Watch out, firearm lovers. The subtly-named guns.com, a place where Americans can go to pick out whatever stylish boomstick they like and have it shipped straight to their neck of the woods, seems to have a pretty awful data breach on its hands.
Back in January, a hacker temporarily disabled the company’s website, interfering with the site’s retail operations and forcing the weapons peddler to apologize to its confused customers for the whole debacle.
Guns.com has claimed that this attack was meant to prevent the “business from operating”—and that there is “no indication” of any attempt to steal data. However, this assessment may be wrong.
This week a large cache of files allegedly taken from the site appeared on the popular dark web site Raid Forums. In fact, an anonymous user offered Guns.com’s entire kit and caboodle—allegedly everything from troves of consumer and administrative data to the site’s stolen source code—free to all comers.
The data dump shows substantial gun buyer information, including user IDs, full names, email addresses, phone numbers, hashed passwords, and, most alarmingly, physical addresses—including city, state, and zip code information. The site data has been viewed by Gizmodo and it was originally reported on by Hackread.
The dump also seems to show access to information about many of the firearms providers that sell through the platform (the site acts as a location for sellers as much as for buyers), and Hackread reports that an excel file within the data tranche shows “sensitive login details of Guns.com including its administrator’s WordPress, MYSQL, and Cloud (Azure) credentials,” though it’s unclear if this is recent information. We also found back-end code for a Laravel-powered version of the site although it isn’t clear what platform the retailer is currently using.
There is no proof that hackers stole this data during the January cyberattack (it could have been stolen during a previous intrusion), though it seems like a natural fit, given the timing.
An incident like this really hammers home the invasive potential of a data breach. With the kinds of information available from this hack, a skilled cybercriminal could commit a number of identity fraud schemes, be well equipped to target victims with phishing scams or other malicious behavior, and perform any number of other damaging activities. We have placed multiple calls and sent emails to the “Guns.com Team” and we will update this story if they respond.
UPDATE 8:00 p.m. This article has been edited to clarify how the shipping process with Guns.com works. Purchased firearms are shipped by the company to a licensed dealer, where the weapon can be picked up by a customer.