A data leak at multinational Cosentino Group has raised concerns about big companies potentially leaking customers' home addresses, with security experts warning of the substantial dangers.
Big companies have access to vast amounts of personal information about their customers. However, this data comes with a great responsibility to protect privacy and security.
Unfortunately, Cybernews research is showing that big businesses are leaking their customers' home addresses, and a treasure trove of other personal information.
As a case in point, our research team recently discovered a misconfiguration that affected Spanish-owned Cosentino Group, which does business in over 80 countries and has production facilities worldwide, including in Spain, Brazil, and the US.
The multinational specializes in the production and distribution of high-end surfaces for both residential and commercial spaces, including kitchen and bathroom counter tops, flooring, cladding, and outdoor surfaces.
A misconfiguration on Cosentino’s site allowed threat actors to access customers’ home addresses along with full names, emails, and phone numbers. The leak's discovery is a stellar example of big corporations failing to protect private consumer data.
Other research by Cybernews previously revealed that the largest window and door manufacturer in North America, Andersen Corporation, was leaking not only home addresses but also photos of the exterior and interior of their clients’ houses along with other personal data.
How dangerous might exposing home addresses turn out to be? Security experts say that doing so could pose potentially dreadful risks.
Cosentino leaked data through warranty PDFs
Researchers found an address-leaking vulnerability on the Cosentino website. When a customer has a worktop installed in their home, they are typically required to register online to receive a warranty from the manufacturer. This is intended to cover defects in or damages to the stone, such as chipping or warping.
Upon registering for the warranty, researchers were allowed to download a PDF copy of the document. However, when examining the HTTP request associated with the download link, they discovered a PDF ID that could be easily manipulated.
Incrementally changing the number at the end of the URL allows one to toggle between different warranty documents, meaning, anyone could have gained access to other customers' PDFs and viewed their personal details, such as full names, emails, addresses, and phone numbers.
This vulnerability is known as a Insecure Direct Object Reference (IDOR) vulnerability, and it could potentially allow unauthorized access to sensitive information. Cybernews reached out to Cosentino regarding the leak, and at the time of writing, the company claimed it had secured access to its site.
Why exposing home addresses is dangerous
Leaking home addresses seems to be a rare occurrence. According to VPN service provider Surfshark, the top five most leaked data points in all countries are email addresses, passwords, and account IDs. By contrast, a mere 1% correspond to home addresses.
Nonetheless, while cybercriminals tend to mainly hunt for digital credentials, exposed home addresses can pose various risks. Tautvydas Jašinskas, chief security officer at Surfshark, indicates that the main risk of threat actors using home addresses, phone numbers, emails, and names is phishing attacks.
“For example, criminals can set up a fraudulent call from a supposed ‘electric service company’ and inform the user that people living at the address are in debt, which they must pay into the bank account possessed by criminals,” said Jašinskas.
He added that leaked home addresses can also be leveraged in more insidious cases, such as ransomware or racketeering, where individuals are threatened with harm or blackmail because criminals know where they live.
Jašinskas names more examples of how leaked personal information can be exploited by cybercriminals. One such example is social engineering attacks: threat actors can use the information to help them pose as an authority figure such as a police officer asking questions, to extract further sensitive data from unsuspecting victims.
“Various cases were recorded when cybercriminals used home or office addresses to send infected USBs, which would infect people's computers when used. But there were no such significant cases recently,” he said.
Threat actors can target wealthy customers
Disclosing one's location can help link someone's home address with their wealth. This means cyber attackers can identify and target the richest potential victims by tracking those living in upmarket neighborhoods.
This relates closely to the Cosentino case, as the customers whose data was leaked had recently bought an expensive stone worktop: this sheds light on their financial situation and can potentially make them targets of burglary or other forms of property theft.
According to Neil Jones, director of cybersecurity at content security company Egnyte, if a company leaks home addresses, as in the Andersen case, threat actors can simply show up at clients' doorsteps. For instance, “unscrupulous contractors” might try to solicit additional services or demand additional “payments” for home renovation.
Further intelligence gathering
According to Tyler Moore, the lead security analyst at cybersecurity firm Cyderes, hackers often rely on open-source intelligence (OSINT) investigations to find out where someone lives. While the residential address by itself is not enough for a social engineering attack, it could be a starting point.
“I'm a hacker. I get a list of addresses from a data breach. I’d prefer to have social security numbers or bank details, but this is what I have to work with, so let’s go with it,” said Moore, suggesting a hypothetical scenario of how threat actors might exploit a leaked address.
A hacker would most likely begin to investigate the information by looking up the address on real-estate websites such as Zillow or Realtor. Additionally, one may search for public records to determine the owner of the property and use Google Maps’ “street view” function to find identifying features, such as a license-plate number.
“Once I have a name, I'll start researching that person, [their] social media, online presence, and so on. Then I might try to hack their email account,” added Moore.
Leaking addresses can also lead to doxxing, or publicly outing a person’s personal details online. This can have dire consequences, as it involves the exposure of an individual's personal information, including address, phone number, and other sensitive details. The loss of privacy can leave individuals vulnerable to targeted attacks and online harassment.
In 2015, the so-called hacking division of the Islamic State reportedly released profiles of 100 US service members, which contained their alleged home addresses. The group urged "brothers residing in America" to target and kill those whose names were listed.
This incident raised concerns about the safety of US military personnel and their families, as well as the potential for terrorist groups to use online platforms to spread propaganda and incite violence. The US government responded by taking measures to increase the security of service members and their families.
Exposed personal information can also make it easier for criminals to engage in stalking or other malicious acts like swatting – the dangerous practice of calling armed police and falsely claiming that a crime is taking place at the victim's address.
More research from Cybernews:
Subscribe to our newsletter