[BreachExchange] Marketing Firm Straffic Exposed 49 Million Emails On Unsecured Server

[Destry Winant]

https://latesthackingnews.com/2020/03/03/marketing-firm-straffic-exposed-49-million-emails-on-unsecured-server/

This time the firm is an Israeli marketing company Straffic who
exposed 49 million emails via an unsecured database.

Though, the firm called the breach a vulnerability. Straffic Exposed
49 Million Emails Reportedly, Israeli marketing firm Straffic has
exposed millions of emails via an unprotected server. The leaky
database had around 49 million unique emails that totaled up to 140GB
bearing explicit contact details.

As elaborated in a post, the unsecured instance first caught the
attention of a researcher with alias 0m3n on Twitter. The researcher
found that Straffic left the credentials for an unprotected
Elasticsearch database online. Thus, anyone could access the
information contained within without hassle.

He told the Information Security Media Group that he became curious
about the server after receiving a spam message. Scratching the
surface revealed to him a .ENV file on a related webserver that
pointed to the Elasticsearch database.

I have been getting spam text messages for the past two years from
random phone numbers with similar messages containing links to
gibberish domains. I decided to take a look at one and found a .env
file on the webserver of one of the domains in said messages which was
a config file that pointed to an AWS Elasticsearch instance.

According to ISMG analysis, the exposed information included names,
genders, email addresses, physical addresses, contact numbers, but not
for all records. Besides, the researcher could also see Laravel logs
on the database for a Straffic app. However, the researcher also
shared his discovery with Troy Hunt of Have I Been Pwned, who could
see 49 million unique email addresses in the database.

While he confirmed that 70% of those emails were already present in
the HIBP records, still the remaining new entries form a huge number.

Not A Vulnerability. Rather, Misconfiguration…

After this discovery, Straffic swiftly secured the leaky database.
They also formally announced the breach, however, in a shady manner,
calling the misconfiguration a ‘vulnerability’.

As stated in their notice, We’ve been reported that security
vulnerability has been found on one of the servers we use to provide
our services. Nonetheless, they confirmed they addressed the
‘weakness’. We confirmed a weakness did exist and promptly patched it,
in addition to fortifying our existing security protocols. As of now,
all systems are secure and we did not find evidence of any data misuse
or data loss.

Troy Hunt said this was a ‘worst disclosure’ since it included no
specific details. It offers nothing of substance regarding what data
was exposed, when the vulnerability was introduced, when it was fixed,
how many people were impacted and indeed if they’re even being
notified.

Then there’s the comment that ‘it is impossible to create a totally
immune system’, which appears to serve no purpose than attempting to
excuse their failure to secure the system.