The IT security researchers at Website Planet discovered what they dubbed as a ‘large data breach,’ impacting a US-based marketing automation firm, Beetle Eye.
As per Website Planet’s blog post, an estimated seven million people were affected by the data exposure. This included their names, emails, phone numbers, and addresses.
A majority of Beetle Eye’s customers were American nationals, but many customers were Canadian. Presumably, the exposed databases were part of leads that Beetle Eye customers used for digital marketing purposes.
Misconfigured AWS S3 Bucket
In a blog post, researchers stated that a misconfigured Amazon Web Services’ S3 bucket was responsible for exposing over 6k files or 1 GB worth of data. The bucket was left without any password protection and encryption.
According to researchers, around ten different folders were discovered in Beetle Eye’s exposed bucket, and each file in these folders contained data of at least one client.
Three Datasets Identified
There were three different datasets on the bucket, namely, Colorado.com leads, GoldenIsles.com leads, and Unnamed leads. Reportedly, the exposed data sets contained different kinds of personally identifiable information (PII).
For instance, Unnamed leads included full names (first name and surname) of the lead, current/previous addresses, current/previous ZIP codes, and current/previous cities.
GoldenIsles.com leads files contained more PII, such as full names, addresses, email IDs, phone numbers, company names, data collection-related details, and survey responses.
Colorado.com leads files contained full names, addresses, email IDs, and survey answers and questions about Colorado.com magazine subscriptions.
It is yet unclear whether the database was accessed by a third party with malicious intent such as ransomware gangs or threat actors. But in case it did, it would be devastating for Beetle Eye as it exposes customers and employees to the risk of online scams, phishing campaigns, and malware infection.
Although, the database was identified last year in September the details of it were only shared by the researchers recently. Nevertheless, the good news is that Beetle Eye was quick to secure its database upon receiving alerts from Website Planet.