A US digital marketing provider has exposed almost three million records containing personally identifiable information (PII) after another cloud configuration mistake. The privacy snafu at Friendemic, whose main clients are reportedly US car dealerships, was discovered by researchers at Comparitech. As is usual in these cases, the unencrypted data was left exposed to the public Internet with no password or authentication required to access it. Research earlier this year found that misconfiguration accounts for 82% of all security vulnerabilities today.
In this instance it was an unsecured Amazon S3 bucket which researchers claimed to be an SQL dump or database backup, potentially created for migrating data between servers. In summary, there were over 2.7 million records including full names, phone numbers and email addresses, alongside 16 OAuth tokens stored in plaintext.
However, exactly who these records belong to remains a mystery. Friendemic told Comparitech that they were not related to customers of its car dealership clients. It also claimed that the OAuth tokens were for internal systems only and were no longer in use when the data was exposed.
To its credit, the firm appeared to act quickly on being informed of the incident, remediating the risk within a day. “While no company ever wants something like this to happen, we are glad to have the vulnerability fixed,” it noted in a statement. “Thank you for notifying us and acting professionally. We have also notified our clients of the situation and have been doing a thorough review and enhancement of our data security.”
Incidents like these are increasingly commonplace and could put customers at risk of follow-on phishing and identity fraud attacks. There is also the risk that attackers could steal the database completely and ransom the contents, or even destroy what they found, as per the recent flurry of “Meow” attacks.
Hundreds of unsecured databases exposed on the public web are the target of an automated 'meow' attack that destroys data without any explanation. The activity started recently by hitting Elasticsearch and MongoDB instances without leaving any explanation, or even a ransom note. Attacks then expanded to other database types and to file systems open on the web.
A quick search by BleepingComputer on the IoT search engine Shodan initially found dozens of databases that have been affected by this attack. Recently, the number of wiped databases increased to over 1,800. These attacks have pushed researchers into a race to find the exposed databases and report them responsibly before they become 'meowed.'
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
So, what can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company wide. (Read Multifactor Authentication or MFA)
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941