TechCrunch Desktop Logo
TechCrunch Mobile Logo
Image Credits:file photo

Tuft & Needle exposed thousands of customer shipping labels

Zack Whittaker

Mattress and bedding giant Tuft & Needle left on an unprotected cloud server hundreds of thousands of FedEx shipping labels containing customer names, addresses and phone numbers.

More than 236,400 shipping labels were found on an Amazon Web Services (AWS) storage bucket without a password, allowing anyone who knew the easy-to-guess web address access to the customer data. Often, these AWS storage buckets are misconfigured by the owner by being set to “public” and not “private.”

The exposed labels were created between 2014 and 2017 during the company’s early years. Tuft & Needle was founded in 2012 in Arizona. But some labels were printed as recently as 2018.

It’s not known for how long the storage bucket was left open.

Two customer shipping labels of the hundreds of thousands exposed. We have redacted the shipping labels to protect the customers’ privacy. (Screenshot: TechCrunch)

U.K.-based penetration testing company Fidus Information Security found the exposed data. TechCrunch verified the data by matching names and addresses against public records.

We contacted Tuft & Needle about the data exposure on Monday. The storage bucket was quickly shut down.

“We’ve secured any potential exposure and are investigating the matter further,” said spokesperson Brooke Figlo in an email.

Techcrunch event

Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025

Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.

Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025

Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.

San Francisco | October 27-29, 2025
REGISTER NOW

Tuft & Needle said it would “comply” with any applicable state data breach notification laws, but did not explicitly say if the company would inform customers of the security lapse.

Stop saying, ‘We take your privacy and security seriously’

Topics

, , , , ,
Zack Whittaker

Zack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this week in security.

He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at zack.whittaker@techcrunch.com.

View Bio
October 27-29, 2025
San Francisco


ONE-WEEK BUNDLE FLASH SALE

Founder Bundle Offer: Land your investor and sharpen your pitch. Save 15% when you bring 4-9 founders.

Investors Bundle Offer: Discover your next breakout startup. Save 20% when you bring 4-9 investors.

Bundle offer ends October 3.

Register Now
Loading the next article
Error loading the next article