A US digital marketing provider has exposed almost three million records containing personally identifiable information (PII) after another cloud configuration mistake.
The privacy snafu at Friendemic, whose main clients are reportedly US car dealerships, was discovered by Aaron Phillips at Comparitech. As is usual in these cases, the unencrypted data was left exposed to the public internet with no password or authentication required to access it.
In this particular instance it was an unsecured Amazon S3 bucket which Phillips claimed to be an SQL dump or database backup, potentially created for migrating data between servers.
All told there were over 2.7 million records including full names, phone numbers and email addresses, alongside 16 OAuth tokens stored in plaintext.
However, exactly who these records belong to remains a mystery: Friendemic told Comparitech that they were not related to customers of its car dealership clients. It also claimed that the OAuth tokens were for internal systems only and were no longer in use when the data was exposed.
To its credit, the firm appeared to act quickly on being informed of the incident, remediating the risk within a day.
“While no company ever wants something like this to happen, we are glad to have the vulnerability fixed,” it noted in a statement. “Thank you for notifying us and acting professionally. We have also notified our clients of the situation and have been doing a thorough review and enhancement of our data security.”
However, incidents like these are increasingly commonplace and could put customers at risk of follow-on phishing and identity fraud attacks.
There’s also the risk that attackers could steal the database completely and ransom the contents, or even destroy what they found, as per the recent spate of “Meow” attacks.
Research earlier this year found that misconfiguration accounts for 82% of all security vulnerabilities today.