[BreachExchange] Data from millions of Brazilians exposed in Wi-Fi management software firm leak

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Fri Nov 26 10:10:17 EST 2021


https://www.zdnet.com/article/millions-of-brazilians-exposed-in-wi-fi-management-software-firm-leak/

A Brazilian Wi-Fi management software firm was at the center of an incident
that exposed data of various high profile companies and millions of their
customers.

The company in question is WSpot, which provides software that enables
businesses to secure their on-premise Wi-Fi networks and allow
password-free online access to their customers. The exposure was discovered
by security research firm SafetyDetectives.

The researchers found WSpot's misconfigured Amazon Web Services (AWS) S3
bucket, which was left open and exposed 10GB worth of data to the public.
After discovering the sensitive data on September 2, the researchers
contacted the software firm on September 7. WSpot secured the breach the
following day.

Some 226,000 files were exposed in the incident, the researchers noted,
including personal information from approximately 2.5 million individuals
who connected to the public Wi-Fi networks provided by WSpot clients. The
company's client portfolio includes Pizza Hut, financial services provider
Sicredi, and healthcare firm Unimed.

According to SafetyDetectives, the set of information exposed included
details supplied by individuals in order to access the Wi-Fi service
provided by the companies. This includes full name, email address, full
address, and taxpayer registration numbers -- in addition to the login
credentials created in the registration process.

WSpot confirmed the incident to ZDNet, saying the issue was caused by a
"lack of standardization in the management of information [stored] in a
specific folder." The Brazilian company reiterated that it has been working
to address the issue since it was contacted about it until the conclusion
of technical procedures on November 18.

WSpot states that its servers remain intact and were not invaded by
malicious actors, saying there's no evidence that the exposed data has been
accessed by cybercriminals. However, the software firm also stated that it
has hired a security company to fully investigate any repercussions in
relation to the data leaked in the incident.

WSpot says the issue impacted 5% of its total customer base, and none of
its clients had business and/or sensitive information compromised.
Additionally, it reiterated that it does not capture financial information
such as credit card details or access credentials to other services.

It's unclear whether the company will inform the individuals exposed about
the incident.

According to a WSpot spokesperson, the National Data Protection Authority
has not yet been contacted about the incident, however, "all legal issues
surrounding the case are being addressed by WSpot as thoroughly as
possible, especially in order to ascertain the next steps."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211126/24070d52/attachment.html>


More information about the BreachExchange mailing list