Hosting Provider Exposed 63M Records incl. WP & Magento
Secure Thoughts collaborated with Security Expert Jeremiah Fowler to expose a massive leak of over 60 million records by a Cloud Application Hosting company. Here are his findings:
On October 5th I discovered a non-password protected database that contained a large amount of monitoring and system logs. There were records indicating data backups, monitoring, error logging, and more. Upon further research, the database appeared to belong to the Texas-based cloud application hosting provider, Cloud Clusters Inc. According to their website, they have 4 data center locations that include: Bend, Oregon, Charlotte, North Carolina, Denver, Colorado, and Dallas, Texas.
I immediately sent a responsible disclosure notice of my findings. Public access was restricted shortly after my notice. No one replied to my first messages and after a second follow-up email on October 13th I received an acknowledgment of my notification that said “Thanks for pointing out the problems to enhance website security. We also take data security very seriously.” It is unclear if Cloud Clusters Inc had notified customers or authorities regarding the exposure.
Emails and passwords in plain text are a potential nightmare waiting to happen.
I saw user/password credentials for Magento, WordPress accounts, and MySql. Magento is an eCommerce platform used to sell products or services and WordPress is a website management system written in PHP. An exposure of login details could have potentially put these accounts and shoppers at risk. Cloud Clusters Inc’s customers could have been targeted by social engineering or spear phishing attempts using the exposed emails and credentials.
It is unclear how long these records were exposed or who else may have had access to this data. As a security researcher, I never circumvent or bypass password protected assets. These records were publicly accessible and no hacking necessary to see 63.7 million records. If a cybercriminal had access to this information it could potentially compromise those sites and eCommerce accounts. I am not implying that customers or visitors to these sites were at risk only raising awareness of what was exposed to anyone with an internet connection. After any security breach, all administrative credentials should be changed immediately including customer passwords or details that were captured in monitoring logs.
There were records in the database connecting multiple company names that all provide similar data hosting and management services under the Cloud Clusters umbrella. With the massive amount of records, it was hard to tell just how many services they operate, but the names I saw included names such as Mgtclusters, Hyper-v-mart, and several variants of Cloudclusters.
According to their website: “Cloud Clusters Inc was founded in 2017 by the same team from Database Mart LLC (DBM), a privately held company in Texas. DBM provides VPS, and dedicated server hosting business to global clients from 2005 with superb customer services. Cloud Clusters Inc provides fully managed open-source application services on Kubernetes cloud”.
What the database contained:
The database was set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
Exposed records that contain internal information such as monitoring, and logs that exposed usernames, user email addresses, and multiple service passwords in plain text. IE: Magento, WordPress, MySQL
Client panel and employee login paths and data.
63,747,966 total records exposed.
Evidence of Meow bot attack (a malicious script that deletes data).
Middleware and build information that could allow for a secondary path for malware.
IP addresses, Ports, Pathways, and storage info that cybercriminals could exploit to access deeper into the network.
The Danger of Exposing Logging and Monitoring Data
Insufficient log monitoring is a major issue that can expose sensitive internal data and is often overlooked. Most companies focus on data protection of their core assets and they often forget that monitoring and log data is an incident waiting to happen. Logs can expose a wide range of data such as logins, failed logins, and other critical transactions. This is a big problem that many companies face and in most cases they may not even realize their monitoring or error log systems are exposing data until it’s too late.
Nearly all systems generate some type of logging and it is an important part of the infrastructure to ensure that everything is functioning properly and to keep a record of events. It is crucial that the security or data protection policies include a plan to monitor and review messages coming from those logs. This way if the logs are exposing sensitive data steps can be taken to treat the logs as a high-risk asset.
Having a data breach or security incident is a nightmare for any company or organization, but it is even worse if you are a company that provides data hosting services. Clients and customers can only take so many precautions when it comes to data protection and ultimately have to have faith in their data storage provider. Cybercriminals are becoming more creative in how they target victims for identity theft, malware, or phishing campaigns. Companies must do more to protect their users from online threats and use the every tool necessary to provide the best online privacy. This includes securing logging and monitoring records that can expose sensitive data.