Brazil-based WiFi management software firm WSpot exposed extensive details of high-profile firms and millions of customers.
WSpot provides software to let businesses secure their on-premise WiFi networks and offer password-free online access to their clients. Some of the notable clients of WSpot include Sicredi, Pizza Hut, and Unimed.
According to WSpot, 5% of its customer base got impacted by this leak. However, it maintains that financial information is never collected from the clients, so financial data isn’t included in the leak.
About the Leak
Security research firm SafetyDetectives discovered the leak and found that WSpot had a misconfigured Amazon Web Services S3 bucket. Reportedly, this bucket was unprotected and open to public access, which led to 10 GB worth of visitor data exposure.
The bucket was discovered on Sep 2nd, and WSpot was notified on Sep 7th, after which the company was able to secure it immediately. The Brazilian company confirmed that its servers remained intact and threat actors didn’t invade them.
Furthermore, there’s no indication that unauthorized third parties accessed the exposed information. The company states that it has hired a security firm to investigate the incident.
What Was Exposed?
Around 226,000 files got exposed in this data leak. The leaked information included personal details of at least 2.5 million users who connected to WSpot’s client’s public WiFi networks.
Moreover, according to SafetyDetectives’ analysis, the exposed information included details of individuals who accessed the WiFi service of the companies, which includes full name, full address, email address, and taxpayer registration numbers, and plain-text login credentials created by users when getting registered to the service.
In their blog post, SafetyDetectives explained that:
“We discovered two different file types exposed on the open database — SMS logs and guest reports. There may be more information exposed that was not visible in our sample data. 84MB of files containing SMS logs were found on WSpot’s database. There were an estimated 280,000 total log entries of this type. SMS logs leaked two forms of personal and confidential visitor data. This data belongs to the people that connected to each WSpot client’s WiFi.”
WSpot Confirmed the Leak
According to ZDNet, WSpot has confirmed the leak. The company explained that the leak was caused due to insufficient “standardization in the management of information,” which was stored in a specific folder. The company further noted that it is already addressing the issue since SafetyDetectives notified it and technical procedures were completed on Nov 18.
A company spokesperson shared that they haven’t yet contacted the National Data Protection Authority regarding the incident and that WSpot will address all legal issues. It is also unclear whether the company notified impacted users or not.