Hobby Lobby, the American arts and crafts giant that also happened to purchase thousands of ancient artifacts looted from modern-day Iraq, exposed a large amount of data online, including customer names, phone numbers, physical and email addresses, and the last four digits of their payment card, as well as source code for the company's app, according to a security researcher.
The data was as recent as 2020, impacted more than 300,000 users, and totaled at around 138GB in size, the independent and pseudonymous security researcher known as "boogeyman" who discovered the leak, told Motherboard in an online chat.
Boogeyman provided multiple screenshots of the data to Motherboard for verification purposes. Those images indicate the information was hosted on an open AWS bucket, a common source for inadvertently exposed data. The data also included Hobby Lobby employee names and email addresses, Boogeyman added.
"We identified the access control involved and have taken steps to secure the system," Hobby Lobby told Motherboard in an email. Boogeyman said they previously tried to warn Hobby Lobby of the issue but received no response.
It is unclear whether Hobby Lobby is going to notify impact users.
Hobby Lobby was the driving force behind a 2014 Supreme Court ruling which found that the government cannot force employers to provide insurance coverage for birth control if that would run against the employer's religious beliefs, radically changing how women can obtain the pill or other contraception. Hobby Lobby's owners founded the Museum of the Bible in Washington, DC.
Hobby Lobby is suing auction house Christie's for selling an antique that authorities later said was looted.
Subscribe to our cybersecurity podcast CYBER, here.