Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Thousands of iPR Software Users Exposed on Amazon S3 Bucket

A publicly accessible Amazon S3 storage bucket originating from iPR Software was found exposing information on thousands of users, UpGuard’s security researchers reveal. 

A publicly accessible Amazon S3 storage bucket originating from iPR Software was found exposing information on thousands of users, UpGuard’s security researchers reveal. 

The data collection contained, among various other files, 477,000 email addresses, and hashed passwords for around 35,000 of them. Business entity account information, documents, and administrative system credentials were also discovered.  

The storage bucket contained a large number of files, some configured for public access (a total of over a terabyte in size), along with documentation from iPR developers, marketing materials for clients, and credentials for accounts on Google, Twitter, and a MongoDB hosting provider.

The security researchers also found user accounts with hashed passwords for clients such as GE, Xerox, CenturyLink, Forever21, Dunkin Donuts, Nasdaq, California Courts, and Mercury Public Affairs. Files stored in these clients’ directories were also accessible. 

“The distinction between users with and without passwords is not clear from the available data but those with passwords presumably had accounts they could log into, while those without may just have been contacts for media outreach,” the researchers say. 

The Amazon S3 storage bucket was discovered in mid-October and iPR Software was notified on the matter on October 24. Although the company confirmed it was aware of the UpGuard notification, public access was removed only on November 26.

The vast collection of files in the bucket suggested it was likely serving as the backend for the content management system iPR licensed to customers. Internal documentation revealed information on how iPR developers could administer the platform and help clients manage their digital marketing. 

“The contents of the bucket thus included both iPR’s internal resources for managing their platform and its user accounts, and client documents that were distributed through iPR’s CMS product. Multiple overall size queries through AWS timed out after tallying over a terabyte of downloadable files,” UpGuard notes. 

Advertisement. Scroll to continue reading.

A folder containing backups generated from MongoDB databases, the most recent being a 17 GB file from 2017. This is where the 477,000 media contacts were located. 

Not only did the bucket expose various client data, but it could have also resulted in secondary data loss, given that leaked credentials included keys for iPR’s Twitter account, a password for a MongoDB, and a Google API access key. 

“As a large PR and marketing provider, iPR would generate and manage a centralized collection of that kind of data for their clients. When made public, the result is the exposure of information for hundreds of thousands of people attached to or targeted by PR and marketing efforts,” UpGuard concludes. 

Related: AWS S3 Buckets Exposed Millions of Facebook Records

Related: Amazon S3 Bucket Exposed GoDaddy Server Information

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...