Dark Web Breach Exposes 345,000 Stolen Credit Card Records Amid Vibe Coding Risks
A significant cybersecurity breach has been uncovered within a dark web marketplace known as “Jerry’s Store,” which specializes in the sale of stolen credit card information. This incident has compromised over 345,000 credit card records, highlighting the vulnerabilities that arise from the increasing use of artificial intelligence (AI) coding tools in cybercrime. Researchers are drawing attention to the risks associated with “vibe coding,” a practice where AI-generated software is deployed without sufficient security measures or human oversight.
The Incident Unfolds
Researchers recently identified an unsecured server associated with Jerry’s Store, a platform that not only sold stolen payment card data but also offered tools for customers to verify the validity of these cards prior to purchase. The exposed data included internal systems, validation logs, and administrative dashboards, revealing a concerning lack of security protocols.
The breach occurred because the operators of Jerry’s Store constructed significant portions of their infrastructure using AI coding assistants, specifically Cursor, developed by Anysphere, a U.S.-based software company. While Cursor is a legitimate tool used by many developers, the operators of Jerry’s Store reportedly relied on it excessively to create both backend systems and internal dashboards without implementing necessary security checks.
The Risks of Vibe Coding
This incident serves as a stark example of the risks associated with vibe coding, a growing trend where users provide vague instructions in plain language, allowing AI systems to generate code automatically. The lack of specificity in these instructions can lead to significant oversights, particularly in security measures.
Researchers noted that the problems began when the operators issued unclear directives to the AI system, resulting in an exposed web dashboard accessible via a standard browser, devoid of password protection or authentication barriers. The server was discovered on April 16, revealing sensitive information that had been left unguarded on the internet.
The leaked data comprised approximately 145,000 valid payment card records, including full card numbers, expiration dates, CVV codes, names, and billing addresses. Additionally, around 200,000 records were flagged as invalid by the system.
How the Card Validation System Operated
The exposed platform functioned as a card verification service for criminals purchasing stolen payment details. Instead of selling untested card data, the system performed real-world payment tests through legitimate companies to ascertain whether the cards were still active.
The operators created fake accounts on various platforms, including Amazon, Grubhub, and Lyft, conducting small transactions or adding stolen cards as payment methods to verify their functionality. Cards that passed these checks were marked as valid and sold at higher prices on dark web marketplaces, as verified cards are significantly more valuable in cybercrime forums.
The leak was traced back to a specific request within the operators’ chat history with Cursor. An administrator had asked the AI to generate a statistics dashboard, which was subsequently deployed online without any security measures in place. This incident underscores the potential for accidental data leaks, even in legitimate software development contexts.
Regulatory Scrutiny and Broader Implications
The revelations surrounding Jerry’s Store come at a time when regulators worldwide are facing increasing pressure to address the rise of sophisticated online financial scams and digital fraud operations. In India, the Reserve Bank of India recently mandated five banks—Axis Bank, City Union Bank, ICICI Bank, IndusInd Bank, and Yes Bank—to compensate a victim of a large-scale “digital arrest” scam. The RBI ombudsman ordered the banks to collectively pay Rs 1.31 crore after identifying failures related to monitoring mule accounts and KYC compliance.
This case involves a retired banker, Naresh Malhotra, who claims that fraudsters siphoned off nearly Rs 23 crore through an elaborate scam operation currently under scrutiny by the Supreme Court of India. Together, these incidents illustrate a rapidly evolving cybercrime landscape where AI tools, inadequate security practices, and lapses in financial oversight are increasingly converging in perilous ways.
The exposure of sensitive data from Jerry’s Store raises concerns about the effectiveness of security measures in the dark web and serves as a cautionary tale for developers and organizations utilizing AI tools in their operations. The necessity for robust security protocols and human oversight has never been more critical in safeguarding sensitive information in an era where cyber threats are becoming more sophisticated.
For ongoing coverage and breaking updates, visit our Latest News section.
Published on 2026-05-09 08:09:00 • By the Editorial Desk
