Australian fashion giant leaks 3.5 million records

More than 3.5 million records have been exposed from Australian fashion retailer Sabo after a database was left unprotected on the internet.

Security researcher Jeremiah Fowler – who is known for identifying large datasets on the internet – discovered an unencrypted, passwordless database that contained 3.58 million PDF documents.

As disclosed to vpnMentor, Fowler analysed a “limited sampling” of the total 292GB of data to find personally identifiable information which included names, physical addresses, email addresses, phone numbers and more.

The database also contained invoices, packing slips, return documents and order details for retail and commercial customers.

Further, Fowler noticed the number of potentially impacted customers may have been higher than the total number of PDFs in the database.

“In one single PDF file, there were 50 separate order pages,” Fowler explained.

“The records appeared to belong to an internal document management storage system that is used to track sales and returns, as well as the corresponding domestic and international shipping documents.”

After observing a range of files dated between 2015 and 2025, Fowler said the database and its records “presumably" belonged to Brisbane-based fashion brand Sabo (stylised as SABO).

Although the records appeared to belong to Sabo, Fowler was unsure if the database itself was managed in-house or by a third-party contractor.

Sabo sells its exclusive clothing line at physical locations in NSW and Queensland, and to global customers via its online store.

Sabo quiet as database plugged shut

As soon as Fowler discovered the exposed database, he “immediately sent a responsible disclosure notice” to Sabo.

Though the database was restricted from public access within hours of Fowler’s notification, he says he did not receive a response from the fashion retailer.

The database and its containing 3.58 million documents were first disclosed on Monday, but it is not known how long the database was exposed before being discovered.

^{Sabo has almost 2 million followers on Instagram and sells its clothes locally and internationally. Photo: Instagram}

It is also unclear whether anyone other than Fowler may have gained access to the database.

“Only an internal forensic audit could identify additional access or potentially suspicious activity,” said Fowler.

Information Age asked Sabo whether it was aware of anyone other than Fowler having accessed the database, but the company did not respond.

A scammer’s goldmine

Though Fowler stopped short of claiming Sabo’s clients are actively at risk from the leak, he went on to point out “hypothetical real-world scenarios” of how the information could be used by criminals.

He warned the data leak, if exploited by malicious actors, could put shoppers at “potential risk” of targeted phishing and lead to social engineering attacks or financial fraud.

Will Walker, founder of Melbourne-based scam protection company Scam Stopper, told Information Age having an exposed database for any period of time is dangerous, and the risk “grows exponentially the longer it is exposed”.

“When a database is found to be exposed, it is best practice to assume nefarious individuals have had access to the data and to act proactively to protect the company, its staff, and most importantly, their customers,” said Walker.

^{Researcher Jeremiah Fowler contacted Sabo and they fixed the problem without acknowledging the incident. Photo: Supplied}

Walker added that when scammers gain access to information that only a company should be privy to, they can create scam campaigns with “greater accuracy and consistency”.

“This taps into the existing trust of the relationship between victims and the company,” said Walker.

“Scammers [with access] can exploit that trust at mass scale.

“Common examples of these scams can include fake invoices, refund error scam and missed delivery scams.”

^{Some of the invoices discovered by the researcher Jeremiah Fowler. Photo: Supplied}

Indeed, after luxury brand Louis Vuitton suffered a recent data breach of its own, customers on Reddit started to report scam emails which falsely promoted a new NFT collection from the brand.

Jamieson O’Reilly, founder of Australian information security company Dvuln, told Information Age it appeared the data from Louis Vuitton’s latest data breach was “being used to run super-targeted scam phishing campaigns”.

“The evolutionary pressure of old-school phishing campaigns has forced attackers to stitch together brand trust with breach data,” O’Reilly wrote on X.

“This is how phishing works in 2025.”