Apparently, FedEx bought Bongo International in 2014, then rebranded it as FedEx Crossborder (which was itself shut down last year). The exposed data were reportedly stored on an unsecured Amazon S3 virtual server that belonged to Bongo, and included records from a period of 2009 - 2012, according to Kromtech, who own MacKeeper Security. Once the company connected with ZDNet's Zack Whittaker, who did some digging, the exposed server was removed from public access entirely. Still, that means all these records have been available for a long time.
"After a preliminary investigation," FedEx told ZDNet, "we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure. The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation."