[BreachExchange] Silicon Valley VC Firm Leaked 'Deal Flow' Data

[Inga Goddijn]

https://www.govinfosecurity.com/silicon-valley-vc-firm-leaked-deal-flow-data-a-17696

A Silicon Valley venture capital firm that runs a matchmaking service
linking investors with startups exposed 6GB of data, including deal flow
information pertaining to investors and startups.

The data belongs to Plug and Play Ventures, which is headquartered in
Sunnyvale, California, and has offices around the world. Plug and Play
helps startups get off the ground and matches those companies with
investors. The firm says it has benefited from early investments in PayPal
and Dropbox.

The leaked data appears to be a PostgreSQL database for Playbook.vc, a
networking and deal flow application from Plug and Play.

The unencrypted data includes personal contact information for investors,
founders and CEOs. It includes personal information voluntarily submitted
by those people to Plug and Play, including names, phone numbers and email
addresses. There are more than 50,000 unique email addresses in the data.

The data includes usernames, hashed passwords and affiliated account data.
In other parts of the data there are snippets of emails - such as the
sender, recipient and subject line of an email - that were sent between
staff at Plug and Play and other users. The content of those emails,
however, doesn't appear to be in the data. The data appears to have been
scraped from G Suite, which is now known as Google Workspace.

There was also an exposed API key, although it isn't clear what kind of
data that unlocks. Also, usernames and password hashes were exposed.
Plain-text passwords are hashed, which is the term for running a password
through an algorithm. That cryptographic output is retained rather than the
actual password, which is safer in case of a data breach. The hashes appear
to be pbkdf2 SHA256.

ISMG found other documents, including a boarding pass and dozens of slide
decks written by companies for investors, with at least one marked
"confidential." There are also logs of IP addresses and what pages those
addresses visited.

The data would appear to give some clues as to what types of companies an
investor may be interested in, which could perhaps give an edge in the
ultra-competitive sphere of startup investment.

Exposed for a Year
The data appears to have been exposed to the public since Oct. 20, 2020,
due to a misconfiguration of an Amazon S3 storage bucket, according to the
researcher who found it. The researcher wishes to remain anonymous.

ISMG notified Plug and Play of the breach on Sept. 16. Syed Azhar, who is
Plug and Play's chief information officer, responded on Sept. 17.

Some exposed information appears to have been parts of emails scraped from
G Suite, now known as Google Workspace. Despite the contact, the data
exposure continued. Finally, by Oct. 2, the data was secured after a tweet
the previous day by Australian security researcher Troy Hunt, who created
the Have I Been Pwned data breach notification service.

It's unclear why there was a delay in securing the data. Azhar did not
respond to a query as to whether Plug and Play will notify those in the
breach or regulators.

Plug and Play's website has a privacy policy indicating that its U.S.
operations fall under California law. California's data breach law requires
notification of residents if their unencrypted personal information "was
acquired, or reasonably believed to have been acquired, by an unauthorized
person," according to the state's attorney general's office.

The company also has offices throughout the European Union, which means if
there are E.U. residents in the breach, the General Data Protection
Regulation would apply. That requires entities to report data breaches
within 72 hours.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211008/6ca5dbc8/attachment.html>