Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Thousands of iPR Software Users Exposed on Amazon S3 Bucket

A publicly accessible Amazon S3 storage bucket originating from iPR Software was found exposing information on thousands of users, UpGuard’s security researchers reveal. 

A publicly accessible Amazon S3 storage bucket originating from iPR Software was found exposing information on thousands of users, UpGuard’s security researchers reveal. 

The data collection contained, among various other files, 477,000 email addresses, and hashed passwords for around 35,000 of them. Business entity account information, documents, and administrative system credentials were also discovered.  

The storage bucket contained a large number of files, some configured for public access (a total of over a terabyte in size), along with documentation from iPR developers, marketing materials for clients, and credentials for accounts on Google, Twitter, and a MongoDB hosting provider.

The security researchers also found user accounts with hashed passwords for clients such as GE, Xerox, CenturyLink, Forever21, Dunkin Donuts, Nasdaq, California Courts, and Mercury Public Affairs. Files stored in these clients’ directories were also accessible. 

“The distinction between users with and without passwords is not clear from the available data but those with passwords presumably had accounts they could log into, while those without may just have been contacts for media outreach,” the researchers say. 

The Amazon S3 storage bucket was discovered in mid-October and iPR Software was notified on the matter on October 24. Although the company confirmed it was aware of the UpGuard notification, public access was removed only on November 26.

The vast collection of files in the bucket suggested it was likely serving as the backend for the content management system iPR licensed to customers. Internal documentation revealed information on how iPR developers could administer the platform and help clients manage their digital marketing. 

“The contents of the bucket thus included both iPR’s internal resources for managing their platform and its user accounts, and client documents that were distributed through iPR’s CMS product. Multiple overall size queries through AWS timed out after tallying over a terabyte of downloadable files,” UpGuard notes. 

A folder containing backups generated from MongoDB databases, the most recent being a 17 GB file from 2017. This is where the 477,000 media contacts were located. 

Not only did the bucket expose various client data, but it could have also resulted in secondary data loss, given that leaked credentials included keys for iPR’s Twitter account, a password for a MongoDB, and a Google API access key. 

“As a large PR and marketing provider, iPR would generate and manage a centralized collection of that kind of data for their clients. When made public, the result is the exposure of information for hundreds of thousands of people attached to or targeted by PR and marketing efforts,” UpGuard concludes. 

Related: AWS S3 Buckets Exposed Millions of Facebook Records

Related: Amazon S3 Bucket Exposed GoDaddy Server Information

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...