Another Bucket Leak: Third-Party PR Firm Serving Top-Name Brands Exposed Customers’ Data
Written by: Black Kite
IPR, a PR company that provides CM software as well as marketing services to top-name brands, exposed customers’ sensitive data through a publicly-accessible Amazon S3 bucket database, according to a recent news report(*). Among the sensitive information leaked through the bucket, there were details of 477,000 clients’ media contacts, business account information, 35,000 hashed user passwords, various documents, and admin credentials for Google, Twitter, and MongoDB. The data belonged to some high-profile customers of IPR Software including Xerox, CenturyLink, Nasdaq, General Electric, Forever21, and Dunkin Donuts.
An unprotected database on a cloud asset
The researchers found about the bucket named “cms [.] ipressroom [.] com”, which was publicly accessible in mid-October. About 9 days later, they discovered that the owner is IPR Software. Upon notification, IPR indicated they were aware of the issue and in the process of securing the database. Only after a full month following the notification, the database was fully secured.
The bucket contained a large collection of files reaching terabytes, suggesting it was likely serving as the backend for IPR’s content management system. Among the files accessible, there is internal documentation regarding the administration of IPR’s platform as well as IPR users’ accounts and client data, such as management of their digital marketing.
Personal Data:
- Clients’ Media Contact information
IPR’s data:
- IPR’s Twitter account
- A password for a MongoDB
- Google API access key
Company-specific data:
- Customers’ marketing strategy.
Beware of Your Third-Parties
As a third party providing PR, CM, and marketing to large customers, it makes sense that IPR would centrally manage that kind of data for their clients. However, when it is publicly accessible, the consequences are dire. That means hundreds of thousands of people’s data, which are actually clients’ media contact information provided to IPR, are also exposed.
Taking into account the type of data kept in the database, hackers could leverage this information in phishing scams, social media take-overs, credential stuffing, and extortion.
Misconfigured cloud assets are open invitations to hackers
Many companies use cloud servers to store their data. Despite their great advantage, misconfigured buckets may expose sensitive data. It is a kind of an open invitation to hackers to dump and use a company’s data for their malicious activities as we have seen in this incident. Besides, this is not the first incident a misconfigured cloud asset caused significant data exposure.
3rd- and 4th-party service providers, such as cloud storage providers, improve their cyber resilience as much as possible. They publish best practices on how to use their cloud services and provide options to keep the data public or private, a feature configured by companies that accommodate cloud servers. Any misconfiguration may expose data to the public and the first ones who notice these exposed data would be-hackers and hacktivists. It is no wonder that Security Misconfiguration is #6 in OWASP Top 10.
A shortlist of common misconfigurations
- Use of factory default system credentials (username/passwords)
- Directory and file listings that are not disabled and easily available through search engines
- Some user traces may have too much information, such as pages returned to users with error messages
- Leaving unnecessary pages, such as sample apps, old privileges, and user accounts
- Out of date software (older versions), use of legacy systems, and patches which are not up-to-date
Simple steps to prevent misconfigured data
- Discover all your 3rd and 4th party service providers and cloud storage servers that your company use.
- Check for misconfiguration of cloud storage servers
- Monitor cyber risk of your 3rd and 4th party providers.
- Regularly check Intrusion Detection System (IDS) logs and consider host-based IDS rather than network-based IDS to examine events on host-level
- Increase the cyber security awareness of your employees and regularly check for leaked credentials.
- Create an agilent patch management procedure. For that reason, use tools such as Black Kite Cyber Risk Scorecards that gives your cyber security posture in Patch Management (among 19 other categories).
A few lessons for businesses
Businesses need to look at their vendors, suppliers, and in general third-parties on a “data perspective”. They need to keep track of the data lifecycle, whether it be personal data of its clients or company-specific sensitive data. This needs to be done both within the perimeter and outside the perimeter. An inventory keeping track of the company’s infrastructure and data will be a starting point most of the time.
They also need to monitor their third-parties on a continuous scale. In today’s world, with thousands of company assets beyond the perimeter, it is nearly impossible to continuously monitor and audit third-parties manually, with a high level of confidence.
Black Kite automates the process of third-party monitoring on a cyber-security level. Black Kite’s Cyber Risk Scorecard identifies potential third-party or supply-chain risk by scanning the target company’s domain name using OSINT (open-source intelligence) techniques. Providing the potential risks posed by third-party vendors, Black Kite achieves continuous risk monitoring on a cyber-security level.
(*) https://threatpost.com/ge-dunkin-forever21-internal-doc-leak/150920/