[BreachExchange] Massive WWE Leak Exposes 3 Million Wrestling Fans' Addresses, Ethnicities And More

Inga Goddijn inga at riskbasedsecurity.com
Fri Jul 7 09:39:05 EDT 2017


https://www.forbes.com/sites/thomasbrewster/2017/07/06/massive-wwe-leak-exposes-3-million-wrestling-fans-addresses-ethnicities-and-more/#6835570575dd
WWE fans take note: an IT error may have left your personal information
open to anyone, including addresses, educational background, earnings and
ethnicity.

Earlier this week, Bob Dyachenko, from security firm Kromtech, told Forbes
he'd uncovered a huge, unprotected WWE database containing information on
more than 3 million users, noting it was open to anyone who knew the web
address to search. Looking at samples of the leaked information provided by
Dyachenko, all data was stored in plain text.

The data - which also included home and email addresses, birthdates, as
well as customers' children's age ranges and genders where supplied - was
sitting on an Amazon Web Services S3 server without username or password
protection, Dyachenko said. It's likely the database was misconfigured by
WWE or an IT partner as in other recent leaks on Amazon-hosted
infrastructure. WWE said it was investigating.

It's unclear what branch of the WWE Corporation the database came from,
though Dyachenko suspects it belonged to one of its many marketing teams,
given it was accompanied by reams of social media tracking data, including
posts from superstars and fans. The kinds of data in the leak are the same
as those in the account details section for customers of the WWE Network,
 a subscription-based video streaming service for wrestling events.

That wasn't the only database WWE was leaking, Dyachenko added. It left
another on Amazon's hosting service that contained reams of information
primarily on European fans, though the information contained only
addresses, telephone numbers and names, a review of samples of the data
revealed. According to one customer, who responded to Forbes' inquiries
trying to validate the leaked data, it was likely this database was from an
online WWE store as "the network doesn't require a mobile number."

Shortly after WWE was alerted to the leak by Dyachenko on July 4, the
company moved swiftly to remove them from the web, making them inaccessible.

"Although no credit card or password information was included, and
therefore not at risk, WWE is investigating a potential vulnerability of a
database housed on a third party platform," a spokesperson from the
wrestling giant said.

"In today's data-driven world, large companies store information on third
party platforms, and unfortunately have been subject to similar
vulnerabilities. WWE utilizes leading cybersecurity firms to proactively
protect our customer data."

WWE didn't say where the information came from or how long the database was
open on Amazon. The spokesperson said the firm was working with "a leading
cybersecurity firm" to determine the cause of the leak.

Ethical ethnicity issues

While the security lapse is cause for concern, that WWE is also collecting
ethnicity information and children's age ranges has privacy advocates
anxious. Amongst the categories within the ethnicity bracket were
caucasian, African American, American Indian, Hispanic and Asian, while
options for children's age ranges were under 13, over 13, both or none. It
would appear, however, that the fans had volunteered that information,
having the choice to do so on their WWE Network profile.

Joseph Lorenzo Hall, chief technologist at the Center for Democracy &
Technology, pointed to the issues Facebook had in late 2016 after it was
criticized for offering advertisers the ability to target ads at ethnic
groups. Facebook responded by preventing advertisers targeting ads at
specific ethnicities for housing, employment or credit. WWE does not state
in its privacy policy how it will use ethnicity or earnings data, though
does say it shares personal information with selected, unnamed partners.

"It's unfortunate by being a WWE fan, you're now part of a data breach.
Addresses with number and ages of children makes me nervous," added Hall.

He also called on Amazon to do more for those leaving data open on its
cloud servers. "It's unfortunate Amazon doesn't have a 'neighborhood
patrol' of sorts for S3 that checks for open buckets with sensitive data -
jiggling the locks, checking for apparent misconfigurations - and then
takes them offline." Amazon hadn't responded to a request for comment at
the time of publication.

Multiple leaks have occurred on Amazon in recent months, largely thanks to
misconfigurations of servers. The most notable was that of a Republican
Party marketing contractor that left data on more than 198 million voters
on an open database in June. In that case the information appeared to be
amassed from a wide range of sources, and included addresses, birthdates,
phone numbers and sentiment analyses for predicting individuals' opinions,
religion and ethnicity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170707/b016bcc3/attachment.html>


More information about the BreachExchange mailing list