vpnMentor said<\/a> the incident was not caused by an unsecured bucket or misconfiguration in a cloud storage system — as is often the case with when it comes to accidental leaks — but rather a “simple oversight” in the firm’s online order tracking infrastructure. <\/p>\nThe breach, discovered through a web mapping project underway at vpnMentor, was caused by a failure to implement authentication protocols for a popular URL shortener tool used on the retailer’s US e-commerce domain. <\/p>\n
Carter’s is a major retailer for baby clothing and apparel in the United States which now operates worldwide. The company generated over $3 billion in revenue during 2020. <\/p>\n
When a purchase was made through the Carter’s US website, the vendor would automatically send them a shortened URL to access a purchase confirmation page. However, a lack of security around the URLs themselves, together with no authentication to verify the customer, was problematic. <\/p>\n
The confirmation pages, generated by Linc’s automation platform, contained a variety of customer PII — and to add another potential problem, the links never expired, allowing anyone to access these pages at will, at any time, alongside backend JSON records. <\/p>\n
Information exposed on these pages included full names, physical addresses, email addresses, phone numbers, shipping tracker IDs, as well as purchase and transaction details. <\/p>\n<\/span><\/figcaption><\/figure>\n <\/section>\n“Due to the massive volume of sales Carter’s enjoys every year, this simple but drastic oversight exposed 100,000s of people to fraud, theft, and many other dangers,” the researchers say. <\/p>\n
Due to the nature of the flaw, the exact number of records exposed is unknown. However, the team estimates that over 410,000 records could have been open to abuse, with the potential impact including phishing, social engineering, and identity theft. <\/p>\n
Carter’s was informed of the security breach on March 22, five days after the initial discovery. Contact was made on March 30, and initially, the retailer asked vpnMentor to submit their findings through Bugcrowd. However, Carter’s eventually accepted the direct report and the shortened URLs were pulled between April 4 – 7. <\/p>\n
ZDNet has reached out to Carter’s but has not heard back at the time of publication. <\/p>\n
Previous and related coverage <\/h3>\n Have a tip?<\/strong> Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0<\/p>\n READ MORE HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"READ MORE HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[2514],"class_list":["post-41315","post","type-post","status-publish","format-standard","hentry","category-packet-storm","tag-headlineprivacydata-loss"],"yoast_head":"\n
US Retailer Carter Leaks PII With URL Shortener 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"US Retailer Carter Leaks PII With URL Shortener 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-11T14:35:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.zdnet.com\/article\/lax-security-around-url-shortener-exposed-pii-of-us-retailer-carters-customer-base\/\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/us-retailer-carter-leaks-pii-with-url-shortener\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/us-retailer-carter-leaks-pii-with-url-shortener\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"US Retailer Carter Leaks PII With URL Shortener\",\"datePublished\":\"2021-06-11T14:35:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/us-retailer-carter-leaks-pii-with-url-shortener\\\/\"},\"wordCount\":413,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/us-retailer-carter-leaks-pii-with-url-shortener\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.zdnet.com\\\/article\\\/lax-security-around-url-shortener-exposed-pii-of-us-retailer-carters-customer-base\\\/\",\"keywords\":[\"headline,privacy,data loss\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/us-retailer-carter-leaks-pii-with-url-shortener\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/us-retailer-carter-leaks-pii-with-url-shortener\\\/\",\"name\":\"US Retailer Carter Leaks PII With URL Shortener 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/us-retailer-carter-leaks-pii-with-url-shortener\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/us-retailer-carter-leaks-pii-with-url-shortener\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.zdnet.com\\\/article\\\/lax-security-around-url-shortener-exposed-pii-of-us-retailer-carters-customer-base\\\/\",\"datePublished\":\"2021-06-11T14:35:09+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/us-retailer-carter-leaks-pii-with-url-shortener\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/us-retailer-carter-leaks-pii-with-url-shortener\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/us-retailer-carter-leaks-pii-with-url-shortener\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.zdnet.com\\\/article\\\/lax-security-around-url-shortener-exposed-pii-of-us-retailer-carters-customer-base\\\/\",\"contentUrl\":\"https:\\\/\\\/www.zdnet.com\\\/article\\\/lax-security-around-url-shortener-exposed-pii-of-us-retailer-carters-customer-base\\\/\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/us-retailer-carter-leaks-pii-with-url-shortener\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,privacy,data loss\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlineprivacydata-loss\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"US Retailer Carter Leaks PII With URL Shortener\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"US Retailer Carter Leaks PII With URL Shortener 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/","og_locale":"en_US","og_type":"article","og_title":"US Retailer Carter Leaks PII With URL Shortener 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-06-11T14:35:09+00:00","og_image":[{"url":"https:\/\/www.zdnet.com\/article\/lax-security-around-url-shortener-exposed-pii-of-us-retailer-carters-customer-base\/","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"US Retailer Carter Leaks PII With URL Shortener","datePublished":"2021-06-11T14:35:09+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/"},"wordCount":413,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/#primaryimage"},"thumbnailUrl":"https:\/\/www.zdnet.com\/article\/lax-security-around-url-shortener-exposed-pii-of-us-retailer-carters-customer-base\/","keywords":["headline,privacy,data loss"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/","url":"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/","name":"US Retailer Carter Leaks PII With URL Shortener 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/#primaryimage"},"thumbnailUrl":"https:\/\/www.zdnet.com\/article\/lax-security-around-url-shortener-exposed-pii-of-us-retailer-carters-customer-base\/","datePublished":"2021-06-11T14:35:09+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/#primaryimage","url":"https:\/\/www.zdnet.com\/article\/lax-security-around-url-shortener-exposed-pii-of-us-retailer-carters-customer-base\/","contentUrl":"https:\/\/www.zdnet.com\/article\/lax-security-around-url-shortener-exposed-pii-of-us-retailer-carters-customer-base\/"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/us-retailer-carter-leaks-pii-with-url-shortener\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,privacy,data loss","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlineprivacydata-loss\/"},{"@type":"ListItem","position":3,"name":"US Retailer Carter Leaks PII With URL Shortener"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41315","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=41315"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41315\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=41315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=41315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=41315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"screenshot-2021-06-10-at-14-48-31.png\"](\"https:\/\/www.zdnet.com\/a\/hub\/i\/2021\/06\/10\/254646b8-92c3-4d71-8f68-7b57af571920\/screenshot-2021-06-10-at-14-48-31.png\")