A criminal operation running a stolen-credit-card validation service leaked around 345,000 credit card records. The cause traces back to the operators themselves because they built the whole system using AI coding tools, but never locked it down.
The exposed server was discovered on April 16 by Cybernews researchers. It belonged to a carding marketplace called Jerry’s Store that sells stolen card data on the dark web. The shop also runs a tool that lets buyers check whether a card is still working before paying for it.
The AI architect behind Jerry’s Store
Jerry’s Store’s server was built with Cursor, an AI coding assistant from a U.S.-based software company, Anysphere. Although Cursor itself is a legitimate product used by professional developers, the Jerry’s Store operators relied on it heavily both to create their server infrastructure and internal dashboards utilized by staff.
That is roughly where everything went wrong. The instructions the operators gave Cursor were vague, and the AI coding tool didn’t push back. What ended up exposed online was an unprotected dashboard that anybody with a browser could open, that required no login, and had no restrictions.
People are now calling this approach vibe coding. The basic idea is that a developer types out what they want in plain English and lets an AI like Cursor, Codex, or Claude Code write the code unhindered. While effective, the trouble shows up when no one properly checks or secures what has been built.
Inside the leaked database
Plenty of sensitive data was sitting on the exposed server. Cybernews found nearly 200,000 card records that the system had flagged as invalid, and another 145,000 or so that were marked as valid. The valid records came complete with entire card numbers, expiration dates, security codes, names, and addresses.
The validation process relied on real merchants, including Amazon, Grubhub, Sam’s Club, Temu, Lyft, Elf Cosmetics, and CountryMax. The operators created fake accounts at these companies, hundreds in some cases, thousands in others.
The criminals would then add a stolen card as a payment method or make a small test purchase. If the merchant accepted the card, the system would flag it as valid. On the dark web, tested cards sell for more than untested ones because untested card dumps are, for the most part, junk.
The leak ultimately traced back to a single moment in the chat history with Cursor. The operator requested Cursor for a statistics dashboard, and the AI delivered. After generating the code for the dashboard, the resulting implementation was deployed online through an open web directory with no login or authentication in place.
The model behind Cursor, based on the logs, had enough context to know what it was helping with. A credit card verification service. It kept building anyway. As Cybernews pointed out, “While in this case it helped identify credit card fraud-related abuse, it’s also a lesson for developers using Cursor for legitimate uses, showing how it can lead to accidental data leaks.”
Sources: Digital Journal, CyberNews