yens

today we received a nice letter from an "independent cyber security researcher" and the person informed us about "a vulnerability" in our "payment gateway" which leaks the full information of db, ftp etc.

the person also told us that there is an "idor vulnerability" / "PII leak" on epoch website which leaks explicit data "because they didn't have an audit on their web apps and now this major data leak because of not following security standards", data are simply not encrypted.

we can consider ourselves lucky because the data concerning us was for a test system that does not contain any real data. the person also provided us a proof of concept with all the explicit data to this test system which we had entered on the epoch merchant backend.

it is certainly conceivable that not only merchant/platform data is/was visible here, but also end customer data that process their bookings with epoch payment methods.

good luck