Exposed data belonged to Friendemic and included full names, email addresses, and contact numbers of its customers.
The dangers of unprotected Amazon S3 buckets are well documented. Yet another firm made the mistake of improper cloud configuration and exposed nearly 3 million customers’ data.
On Sep 12, 2020, Comparitech researchers and an independent security expert discovered a publicly accessible database containing personally identifiable information (PII) of approx. 2.7 million consumers of a US-based digital marketing services provider Friendemic.
Exposed data include names, email IDs, and phone numbers of Friendemic customers in the US. The unencrypted database was accessible publicly since it wasn’t password-protected, and no authentication process was involved in accessing it.
Founded in 2020, Friendemic is a customer management and digital marketing firm that mainly deals in car dealerships. It offers services like social media advertising, online reviews, sales analytics, video sharing, etc.
Friendemic has confirmed the incident and claims that the database was an archive backup. However, the company promptly secured the data after Comparitech notified it about the exposure. After securing the database, Friendemic released an official statement through email, that read:
“While no company ever wants something like this to happen, we are glad to have the vulnerability fixed. Thank you for notifying us and acting professionally. We have also notified our clients of the situation and have been doing a thorough review and enhancement of our data security.”
In its blog post, Comparitech noted that it is unclear how long the database was exposed before researchers discovered it. After discovering the exposed database on Sep 12, researchers notified Friendemic, as per Comparitech’s responsible disclosure policy, on Sep 14, and it was secured by Sep 15.
Friendemic hasn’t clarified exactly who got affected by the data exposure, but it stated that the data didn’t belong to its car dealership clients. The company also claims that the O Auth tokens were not in use when the data got exposed.
Comparitech researcher wrote that it is also unclear whether any unauthorized third party accessed the data. Nevertheless, even if the data wasn’t accessed by a malicious party, Friendemic’s customers should still get in touch with the company and inquire about the breach.