Security researchers have discovered that recently established business-to-business (B2B) marketing firm OneMoreLead was storing the private data of up to 126 million people on an unsecured database, leaving it exposed to anyone with a web browser.
The researchers at vpnMentor warned that had malicious actors discovered the database – which includes information such as full names, email addresses, phones numbers, home IP addresses and workplace information – it would have been a “gold mine” for a range of criminal activities, from financial fraud and identity theft to large-scale phishing operations.
According to a disclosure blog by vpnMentor, its cyber security team unearthed the existence of the database on 16 April 2021 during a “vast web mapping project”, in which researchers were using large-scale web scanners to search for data stores with information that should be secure, and examining them for leaks.
After taking steps to verify its findings and identify OneMoreLead as the database’s owner, vpnMentor alerted the firm on 20 April, as well as Amazon Web Services (AWS) which was hosting the store on its cloud platform. The researchers added they received replies on the same day, and that the server had been secured by the following day.
By not securing the database, between 63 and 126 million people could have been affected, depending on how many of the records were duplicated. “Given the massive amount of people exposed, cyber criminals would only need to successfully defraud or attack a tiny portion to be successful,” said vpnMentor.
“Worse still, we viewed numerous .gov and New York Police Department email addresses in the database. Considering the complete list contained at least 63 million people, there were potentially many more sensitive email addresses. However, we only viewed a small sample.
“Private data from members of the government and police are a goldmine for criminal hackers – especially if a foreign government supports them. By attacking individuals in the US government, hackers can infiltrate otherwise secure, high-level government agencies. When this happens, it can result in major national security breaches and devastating loss of trust in the government.”
Read more about data breaches
- The user names and passwords of Tokyo 2020 ticket holders and event volunteers were reportedly compromised, but government official claims the data leak was not large.
- A group action against BA following its 2018 data breach has been successfully settled.
Researchers added that despite the likelihood of inaccuracies – for example, a person may no longer work at a business listed in the indexes – hackers could still use the data in a range of criminal activities, and that it may be possible to cross-reference entries with an individual’s online presence, such as a LinkedIn profile.
While vpnMentor’s investigation shows the data appears to have been uploaded into the store on 10 April, the origins of this data, and how exactly it ended up in the firms hands, remain unclear.
“The company is new, with no known clients and an unfinished website. So, it’s unlikely they collected data from 126 million people since opening in [April] 2020 – unless the people behind OneMoreLead were working on a similar business previously,” said vpnMentor.
“Furthermore, the exposed data bears an uncanny resemblance to a leak originally connected to the German B2B marketing company Leadhunter in 2020. (Leadhunter denied responsibility for the leak at the time, and researchers couldn’t confirm a link.)”
Similarities to Leadhunter breach
Based on its research, vpnMentor has come up with a number of scenarios to explain the similarities between the firms and their respective data breaches.
These include that both companies sourced their data from the same entity; that one of the two firms sold the data to the other (although discovering which was the seller would be difficult); that the people involved in OneMoreLead discovered the previous leak and downloaded the data; or that OneMoreLead was behind the original leak and has decided to monetise the data as part of a new company.
Computer Weekly contacted OneMoreLead for clarification about the origins of the data, but received no response by time of publication.
“Ultimately, we may never know how OneMoreLead amassed such a vast amount of data before exposing it to the world. However, the company has a responsibility to close the vulnerability and ensure it’s not leaked again,” said vpnMentor, which added that, due to the leak’s severity and size, as well as the strange circumstances surrounding it, OneMoreLead could face serious questions its competency and trustworthiness going forward.
“Potential clients may be unwilling to work with a new company that has exposed millions of people to fraud and cyber attack before it’s even finished its website. The company could also face legal action as a result. Many of the people exposed are California residents, which means they’re protected under the state’s CCPA [California Consumer Privacy Act] data privacy laws. If the Californian government, or any other government entity, was to pursue this case, it could cripple OneMoreLead.”
Computer Weekly contacted OneMoreLead for comment on the potential for legal repercussions, but received no response by time of publication.
To avoid the database’s information from being exposed, vpnMentor said OneMoreLead could have taken a number of basic security measures, including securing its servers, implementing proper access rules and not leaving a system that does not require authentication open to the internet.