A publicly accessible Amazon S3 storage bucket originating from iPR Software was found exposing information on thousands of users, UpGuard’s security researchers reveal.
The data collection contained, among various other files, 477,000 email addresses, and hashed passwords for around 35,000 of them. Business entity account information, documents, and administrative system credentials were also discovered.
The storage bucket contained a large number of files, some configured for public access (a total of over a terabyte in size), along with documentation from iPR developers, marketing materials for clients, and credentials for accounts on Google, Twitter, and a MongoDB hosting provider.
The security researchers also found user accounts with hashed passwords for clients such as GE, Xerox, CenturyLink, Forever21, Dunkin Donuts, Nasdaq, California Courts, and Mercury Public Affairs. Files stored in these clients’ directories were also accessible.
“The distinction between users with and without passwords is not clear from the available data but those with passwords presumably had accounts they could log into, while those without may just have been contacts for media outreach,” the researchers say.
The Amazon S3 storage bucket was discovered in mid-October and iPR Software was notified on the matter on October 24. Although the company confirmed it was aware of the UpGuard notification, public access was removed only on November 26.
The vast collection of files in the bucket suggested it was likely serving as the backend for the content management system iPR licensed to customers. Internal documentation revealed information on how iPR developers could administer the platform and help clients manage their digital marketing.
“The contents of the bucket thus included both iPR’s internal resources for managing their platform and its user accounts, and client documents that were distributed through iPR’s CMS product. Multiple overall size queries through AWS timed out after tallying over a terabyte of downloadable files,” UpGuard notes.
A folder containing backups generated from MongoDB databases, the most recent being a 17 GB file from 2017. This is where the 477,000 media contacts were located.
Not only did the bucket expose various client data, but it could have also resulted in secondary data loss, given that leaked credentials included keys for iPR’s Twitter account, a password for a MongoDB, and a Google API access key.
“As a large PR and marketing provider, iPR would generate and manage a centralized collection of that kind of data for their clients. When made public, the result is the exposure of information for hundreds of thousands of people attached to or targeted by PR and marketing efforts,” UpGuard concludes.