B2B Sales Portal Provider Exposed 1.5 Million Records Online
Secure Thoughts collaborated with Security Expert Jeremiah Fowler to expose a leak of 1.5 million of potentially sensitive data by a B2B sales portal. Here are his findings:
On Jan 9th, 2021 I discovered a non password protected database that contained 1.5 million records. These documents contained invoicing and payment records, references to reports and other potentially sensitive data. Many of the records indicated or made references to a company called Inside Sales Solutions or ISS. I immediately sent a responsible disclosure notice and the database was closed to public access the same day.
The database was titled “Shared” and appeared to be a client portal that monitored and managed sales, leads, billing, invoicing and more. Many of the records had very detailed summaries and status notes. The most troubling part of the discovery were records that contained an admin dashboard or portal login and passwords in plain text. Many of the passwords I saw were extremely weak and it is unclear what access a logged in user would have. Exposed Passwords and login credentials can give criminals access to restricted data that is deeper in the network and often more sensitive. Legitimate security researchers never circumvent password protections and I can only assume that these credentials would have given the user access to sales and analytics, conversions, or more.
What the database contained:
- Total Size: 2.59 GB / Total Docs: 1,530,845
- This database was set to open and the data visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
- Exposed records marked “Production” that contained internal information such as content management notes of clients and internal messaging.
- Customer or partner emails, names, account portal passwords and email alias passwords. These could be targeted for phishing or exploited.
- Invoicing and payment records, references to reports and other potentially sensitive data.
- 400,305 “Contacts” these records contained names, addresses, emails, phone numbers
How Big are the Risks?
The danger of this type of exposure is extremely broad based on how detailed the records were. Records of business relationships could potentially be at a higher risk for Social Engineering. When there is a position of trust cyber criminals could hypothetically reference invoice numbers or other account specific information to Socially Engineer their victims. Detailed notes of business relationships, names, dates, emails, progress, and more could provide criminals with enough nonpublic information that they could use to create a highly targeted attack. The victim would possibly assume that they are working with an agent or representative and could be tricked into providing credit or banking information.
Social Engineering Attacks are among the most successful forms of cyber crime and no amount of software or security measures can prevent all human errors. Social Engineering requires a simple method of getting information, contacting the target with a position of trust, and then executing the attack. The human element will always be the most challenging part of data protection. Education and awareness of cyber security risks are the best tools to combat Social Engineering Attacks.
According to their website: “Inside Sales Solutions helps B2B technology companies drive revenue faster with low-risk sales development services delivered by tech-sales experts”
Inside Sales Solutions is based in Petersburg, FL and has an office in New York and a remote team based in the UK. The database and notes indicate some form of outbound sales calls and scheduling of meetings between businesses. The notes indicate who communicated with who, what was said, and what follow up actions are needed. Often these internal notes contained multiple entries and what the agent or representative thought about the lead’s potential or previous interaction. These records exposed a working blueprint of how the business operates from the backend.
It is unclear how long the data was exposed or who else may have had access to these records. Inside Sales Solutions acted fast and I received a thank you reply within an hour of sending my disclosure notice. I am not implying any wrongdoing or that this data was accessed or exploited by any other 3rd party. I am only highlighting my discovery and summarizing the records I personally saw. My goal is to raise awareness of any potential risks and encourage that companies do everything possible to strengthen their cyber hygiene and data protection protocols.
Data Protection Basics
Companies and organizations who collect and store data must do more to protect this information from unintentional human errors and malicious cyber attacks. In this instance there was no hacking needed to see 1.5 million records and anyone with an internet connection could have gained access.
One important step organizations can take is to ensure that data is encrypted. This way, if there is an unintended data exposure those records will be much more difficult to extract information from. No encryption method will make data 100% protected forever. Over time technology changes and older algorithms can be cracked. With that being said, data encryption may not be perfect but it is better than nothing. Storing plain text records is a recipe for disaster and should be avoided whenever possible. Encryption should always be used for sensitive or vital records that are stored on the cloud or local networks.
Another risk that could greatly impact a data breach is how the encryption keys are stored or managed. Many organizations make the mistake and store encryption keys on the same server as the encrypted data. It is the cyber security equivalent to making your password your username and your username your password. Encrypting the data and including the key is a critical mistake that can easily be avoided.
Data exposures happen and bad actors are always trying to hack or exploit data. Being prepared and proactive is one of the best ways organizations can protect themselves. Make sure that your company or organization has a plan in place and designated team members to periodically check for open ports, patch management, and security updates.