[BreachExchange] Marketing firm Friendemic exposed 2.7 million customer records

[Destry Winant]

https://www.hackread.com/marketing-firm-friendemic-customer-records-exposed/

Exposed data belonged to Friendemic and included full names, email
addresses, and contact numbers of its customers.

The dangers of unprotected Amazon S3 buckets are well documented. Yet
another firm made the mistake of improper cloud configuration and
exposed nearly 3 million customers’ data.

On Sep 12, 2020, Comparitech researcher and security expert Aaron
Phillips discovered a publicly accessible database containing
personally identifiable information (PII) of approx. 2.7 million
consumers of a US-based digital marketing services provider
Friendemic.

Exposed data include names, email IDs, and phone numbers of Friendemic
customers in the US. The unencrypted database was accessible publicly
since it wasn’t password-protected, and no authentication process was
involved in accessing it.

Founded in 2020, Friendemic is a customer management and digital
marketing firm that mainly deals in car dealerships. It offers
services like social media advertising, online reviews, sales
analytics, video sharing, etc.


Friendemic has confirmed the incident and claims that the database was
an archive backup. However, the company promptly secured the data
after Comparitech notified it about the exposure. After securing the
database, Friendemic released an official statement through email,
that read:

“While no company ever wants something like this to happen, we are
glad to have the vulnerability fixed. Thank you for notifying us and
acting professionally. We have also notified our clients of the
situation and have been doing a thorough review and enhancement of our
data security.”

In its blog post, Comparitech noted that it is unclear how long the
database was exposed before Phillips discovered it. After discovering
the exposed database on Sep 12, Phillips notified Friendemic, as per
Comparitech’s responsible disclosure policy, on Sep 14, and it was
secured by Sep 15.

Friendemic hasn’t clarified exactly who got affected by the data
exposure, but it stated that the data didn’t belong to its car
dealership clients. The company also claims that the O Auth tokens
were not in use when the data got exposed.

Comparitech researcher wrote that it is also unclear whether any
unauthorized third party accessed the data. Nevertheless, even if the
data wasn’t accessed by a malicious party, Friendemic’s customers
should still get it in touch with the company and inquire about the
breach.