Target wish list app leaks private information

It’s the holiday season and we have to report on a possible data breach at Target…again.  

Researchers at security company Avast have revealed a flaw in retailers’ wish list apps that allow unauthorized access to customer addresses, phone numbers and other personal information.

The Target app has a database of users’ wish lists, names, addresses, and email addresses.  Unfortunately, your friends and family are not the only ones with access.

“We discovered that the Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer,” Avast reports in a blog post.  “Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.”

Silver lining?  No credit card information is compromised.

According to Avast, what was compromised on this app was “users’ names, email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries”.

Avast has notified Target of the issue, and Target has disabled some elements of their wish list app in order to protect customer data.

This situation must be a nightmare for Target who is still dealing with the fallout from a highly publicized and massive 2013 breach. The breach in 2013 is considered by many to be the big kickoff of the trend of large public data breaches that we see regularly today.  The breach exposed 40 million credit and debit cards. Hackers planted malware on the point-of-sales systems of the popular retailer by first hacking a third-party HVAC company’s laptop.  Target recently settled a $39 million lawsuit with Mastercard.


For information on how you can prevent your organization from being breached, visit or call 714-515-4011.


Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *