An Indian customer relationship management (CRM) platform exposed user emails, physical locations, and other data related to users' daily tasks.
Cybernews researchers recently discovered an open dataset with a significant amount of sensitive B2B data owned by Metroleads, an AI-powered platform used to manage interactions with (potential) customers.
Cybernews informed the company about the leak, and the database is now closed.
What's in the dataset
On October 6, the Cybernews research team discovered an unprotected Cassandra instance that they were able to attribute to metroleads.com, owned by MetroGuild India. Cassandra is a free and open-source data storage solution designed to handle large amounts of data.
The open dataset contained 4,500 user emails. Cybernews considers it a high number since these addresses belong to different business entities and can be exploited for various attacks, such as business email compromise. For example, threat actors could use email addresses to send fraudulent transactions on behalf of Metroleads.
"The leaked information could be used to set up fraudulent deals between organizations or their customers," Cybernews researcher Aras Nazarovas warned.
Even though the dataset is now closed, it has been open for days, and cybercriminals have the means to discover open datasets like this in mere hours. Therefore Metroleads customers should remain vigilant and look out for phishing attacks or impersonation attempts.
The dataset also contained 9,000 session initiation protocol (SIP) tokens linked with specific user accounts. SIP is typically used for video or voiceover internet protocol (VOIP) services, ranging from apps like Zoom to Signal and Whatsapp.
"Threat actors could use these email-token pairs to call partners, impersonate a specific company, or hijack ongoing calls," Nazarovas said.
Moreover, the dataset contained over 800,000 user location and coordinate records, as well as time stamps indicating when the information was collected.
"The location information could be used to track specific employees or high-ranking officers of these organizations," Nazarovas said.
The dataset also contained 432 entries of user device information, including their language settings and time zones.
Unfortunately, researchers stumble upon leaky databases quite often. The Thomson Reuters leak, recently discovered by the Cybernews research team, is a stellar example that even big market players that have taken measures to prevent this kind of error are also not immune.
In many cases, companies react quickly and close those buckets of sensitive information immediately after being notified. However, sometimes, attackers manage to cripple an organization before it gets a chance to fix the security issue.
For example, a Harvard Business Publishing licensee in Turkey left a dataset with over 152,000 customer records open, and threat actors got there before the owner was able to close it. Crooks left a ransom note, threatening to leak the data and inform authorities of the EU’s General Data Protection Regulation (GDPR) violations.
“The biggest mistake companies are making is that they are focusing more on protecting the ever-growing number of attack vectors instead of their most precarious asset – the data in their databases,” Manav Mital, CEO and Founder of a security company Cyral, told Cybernews.
According to him, exposed databases have led to record levels of data breaches. Attackers can quickly deploy ransomware, steal data or simply delete it for fun, or try to cripple an organization.
He added: “If an attacker can penetrate the defenses of a cloud, network, application, API [application programming interface], or an employee’s credentials, little stands in the way of them accessing pretty much all the sensitive data in the organization.”
More from Cybernews:
Subscribe to our newsletter