As many as 22,000 credit card numbers have been exposed via a defunct payment gateway.
An Australian IT industry worker discovered the details by mistake via a security hole within Google, where pages of defunct websites containing sensitive directories remain cached and available to anyone.
It is believed that up to 19,000 of these numbers could be active, with most belonging to customers in the US and Britain. The details include CVV numbers, expiry dates, names and addresses and are for accounts held with Visa, MasterCard, American Express, Solo, Switch, Delta and Maestro/Cirrus.
The URLs of companies including UK retailers of laboratory supplies, sports and health goods, apparel, photo imaging and clothing were also available to view.
The IT worker, who chose to remain anonymous, told iTnews: “I received a Google Alert for a name. The alert started with a bunch of other numbers, so I went to the web page and it was just a virtual directory listing with a bunch of directories underneath and a load of files inside.
“It looks like the site might have been a payment processing gateway that handled credit card transactions for a bunch of websites before it went belly-up.”
He claimed that he tried to report the find immediately to Visa and MasterCard, but said neither returned calls.
A spokesperson for Visa said: “We're investigating this report as a matter of priority, but it's too early to make any further comment.”
The IT worker has now handed the information to police.