[BreachExchange] 95M records exposed on database belonging to marketing firm Maropost

Fri Apr 10 10:22:38 EDT 2020

https://siliconangle.com/2020/04/08/95m-records-exposed-database-belonging-marketing-firm-maropost/

A database belonging to marketing automation platform provider
Maropost Inc. has been found exposed online, complete with 95 million
individual customer email records and email logs.

Discovered by researchers at Cybernews, the database included more
than 19 million unique email records belonging to about 10,000
clients. Those clients include the New York Post, Shopify Inc.,
Fujifilm Holding Corp., Hard Rock Cafe Inc. and Mother Jones.

For once, the database wasn’t found on an Amazon Web Services Inc.
server but a Google Cloud server located in the U.S.

The researchers attempted to reach out to Maropost to inform it that
the database was exposed two months ago and despite ongoing attempts
were unable to get anyone to respond. In the end, the researches
decided to inform the Cybersecurity and Infrastructure Security Agency
at the U.S. Department of Homeland Security of the data breach.

They eventually received a reply April 1 from Maropost Chief Executive
Officer Ross Andrew Paquette, who claimed that the email addresses in
the database were randomized data the company used for external
testing. The researchers noted, however, that their tests showed this
not to be the case because the emails were real and deliverable.

“Like the vast majority of breaches, it is rooted in the company’s
failure to do the basics well — the basics of security policies and
standards, architecture and design, security assessment, and employee
awareness,” Kelly White, chief executive officer of risk assessment
firm RiskRecon Inc., told SiliconANGLE.

“It is also rooted in the failure of Maropost’s customers to hold them
accountable to operating a strong security risk management program,”
Kelly added. “Companies must operate robust third-party security risk
management programs that hold their vendors accountable to
implementing good security practices. Companies that don’t do so are
going to be doing business with insecure vendors and their data is
going to be compromised.”

Balaji Parimi, CEO of cloud security platform company CloudKnox
Security Inc., noted that cloud resource misconfigurations have become
one of the biggest threats to enterprises.

“There’s a simple reason these vulnerabilities are so prevalent: the
complexity of multi-cloud environments, combined with a lack of
visibility into who can do what, when and where,” he said. “When
combined, this leads to identities with excessive high-risk
permissions operating in environments where security teams can’t
answer simple questions like: ‘What permissions does each service
account or employee have?’ and ‘What actions have they performed?’”