Infosecurity Group Websites
Latest
News

Marketing Firm Spills Nearly Three Million Records

A US digital marketing provider has exposed almost three million records containing personally identifiable information (PII) after another cloud configuration mistake.

The privacy snafu at Friendemic, whose main clients are reportedly US car dealerships, was discovered by Aaron Phillips at Comparitech. As is usual in these cases, the unencrypted data was left exposed to the public internet with no password or authentication required to access it.

In this particular instance it was an unsecured Amazon S3 bucket which Phillips claimed to be an SQL dump or database backup, potentially created for migrating data between servers.

All told there were over 2.7 million records including full names, phone numbers and email addresses, alongside 16 OAuth tokens stored in plaintext.

However, exactly who these records belong to remains a mystery: Friendemic told Comparitech that they were not related to customers of its car dealership clients. It also claimed that the OAuth tokens were for internal systems only and were no longer in use when the data was exposed.

To its credit, the firm appeared to act quickly on being informed of the incident, remediating the risk within a day.

“While no company ever wants something like this to happen, we are glad to have the vulnerability fixed,” it noted in a statement. “Thank you for notifying us and acting professionally. We have also notified our clients of the situation and have been doing a thorough review and enhancement of our data security.”

However, incidents like these are increasingly commonplace and could put customers at risk of follow-on phishing and identity fraud attacks.

There’s also the risk that attackers could steal the database completely and ransom the contents, or even destroy what they found, as per the recent spate of “Meow” attacks.

Research earlier this year found that misconfiguration accounts for 82% of all security vulnerabilities today.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Hacked Voice Remote Becomes Listening Device

2
News

Cyber-Espionage Group BAHAMUT Responsible for “Staggering” Number of Attacks

3
News

CPS Under Fire Again After Data Breach Cases Jump 18%

4
News

Canada Bombarded with COVID-19-Themed Cyber-attacks

5
News

Remote Workers Keep IT Issues to Themselves

6
News

Boards Increase Investment in Cybersecurity in Face of Threats and Regulatory Fines

1
News

Marketing Firm Spills Nearly Three Million Records

2
News

Online Romance Scams Spike Under Lockdown

3
Opinion

Onslaught of Login (Brute Force) Attacks Shakes Enterprise IT Security

4
News

Fake News Named Biggest Global Cybercrime Concern

5
News

Trojan Malware Targets Trump Supporters

6
News

US Seizes Domains Used to Spread Disinformation

1
Webinar

Lessons Learned from the Twitter Spear-Phishing Attack

2
Webinar

The Remote Workplace: Managing the New Threat Landscape with ISO 27001

3
Webinar

Ransomware Defense with Micro-Segmentation: from Strategy to Execution

4
Webinar

Extended Threat Detection and Response: Critical Steps and a Critical System

5
Webinar

Security in the Cloud - Emerging Threats & the Future

6
Webinar

A Better Defense: Does Modern Security Fit With Modern Attacks?

1
Opinion

Securing Remote Desktops During a Pandemic

2
Interview

Interview: Jason Nurse, University of Kent

3
News

Endpoint Security Primary Pain Point in 2020

4
Opinion

Is Your Organization Ready to Defend Insider Threats?

5
Webinar

A Better Defense: Does Modern Security Fit With Modern Attacks?

6
News

Corporate Credentials on the Dark Web Up by 429% This Year