Misconfigured Server Run by Hackers Leaks 345,000 Stolen Credit Cards

The rise of AI‑assisted development environments promises faster software delivery, but the Jerry’s Store incident demonstrates a stark downside. When the hackers asked Cursor to build a statistics dashboard, the tool produced an open web directory lacking authentication, effectively publishing a private database to the internet. This misstep, rooted in the AI’s inability to enforce security policies, turned a sophisticated card‑verification platform into a public data dump, underscoring the importance of integrating robust guardrails into AI coding assistants.

The leaked repository contained 345,000 credit‑card records, including names, addresses, numbers and CVVs. Analysts estimate that more than 145,000 of those cards are still active, with each fetching $7‑$18 on underground markets—a total potential value of about $2.6 million. The criminals validated card viability by making tiny purchases on high‑traffic services such as Amazon US, Amazon JP, Grubhub, and Lyft. Successful transactions marked a card as "good," allowing it to be resold at premium prices. This systematic verification pipeline illustrates how threat actors monetize stolen data at scale, turning raw leaks into profitable fraud assets.

Beyond the immediate financial loss, the breach raises broader concerns for the tech industry. AI code generators like Cursor lack contextual awareness of illicit use cases, and without mandatory code reviews, they can inadvertently facilitate large‑scale data exposure. Security teams must adopt a layered approach: enforce strict access controls, conduct regular audits of AI‑produced code, and educate developers on the risks of over‑reliance on automation. Policymakers and AI vendors alike should consider embedding ethical safeguards to prevent tools from being weaponized, ensuring that innovation does not come at the expense of cybersecurity resilience.