A marketing firm exposed hashed passwords and sensitive public relations documents of thousands of customers via a leaky Amazon S3 database – including big-name brands like GE, Dunkin’ Donuts, Forever 21 and more.
Researchers with UpGuard in October discovered a misconfigured Amazon S3 storage bucket, originating from iPR Software, a hosted content management software platform for online newsrooms, websites and social-media communications. The database contained data belonging to clients using iPR Software’s platform, including the details of 477,000 clients’ media contacts, business entity account information, 35,000 hashed user passwords, assorted documents and administrative system credentials.
“The Amazon S3 storage bucket contained a large collection of files, some of which were configured for public access, totaling over a terabyte in size,” said researchers in a Monday post. “In addition to the database files, the storage bucket contained documentation from iPR developers, documents which appear to be marketing materials for client companies, and credentials for iPR accounts on Google, Twitter and a MongoDB hosting provider.”
The contents of the bucket included both iPR’s internal resources for managing their own platform and the data about the company’s user accounts and client documents distributed through iPR’s CMS product.
That included directories with other files relevant to clients – including internal public-relations strategy documents, such as plans for communications during crises or adverse media attention.
UpGuard said that the large organizations exposed included California Courts, CenturyLink, Nasdaq, Xerox and Mercury Public Affairs (a firm relevant to the Rick Gates and Paul Manafort investigations). In addition to the user accounts, the files stored in these clients’ directories were also available, researchers said.
“The database backup which we analyzed was uploaded in 2017 and has most likely been exposed since that time, but it would require logs from Amazon to really prove that,” Chris Vickery with UpGuard told Threatpost. It’s unclear if the database was accessed by anyone else.
Researchers also found various system credentials including iPR’s Twitter account credentials, a Google API access key, and a password for a MongoDB hosted on mongolayer.com.
In regards to the MongoDB password, “this is from a shuttered MongoDB service hosted by Compose IBM. This is a sunset 3rd party-service that was never owned or maintained in any way by MongoDB Inc.,” a MongoDB spokesperson told Threatpost.
The database was first discovered on Oct. 15. Researchers notified iPR Software on Oct. 24.
“After twelve days with no action, UpGuard contacted trusted journalists at Scoop News Group, with whom we have worked in the past, for additional help engaging iPR,” said researchers. “Finally, public access for the bucket and all contents was removed on November 26, 2019.”
Accidental data exposure continues to be an issue plaguing third-party companies. According to the 2019 Verizon Data Breach Investigations Report, insider-initiated incidents account for 34 percent of data breaches, with many of these being accidental exposures as opposed to malicious.
In May, IT services provider HCL Technologies inadvertently exposed passwords, sensitive project reports and other private data of thousands of customers and internal employees on various public HCL subdomains. In April, hundreds of millions of Facebook records were found in two separate publicly-exposed app datasets.
With companies storing so much sensitive information – particularly relating to company public relations – keeping data secure is paramount, researchers stressed.
“As a large PR and marketing provider, iPR would generate and manage a centralized collection of that kind of data for their clients,” said researchers. “When made public, the result is the exposure of information for hundreds of thousands of people attached to or targeted by PR and marketing efforts.”
iPR Software did not respond to a request for comment by deadline.
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.