LADbible Group leaks internal data


LADBible group, a popular viral media publisher, has leaked employee email addresses, links to its social media, a list of advertisers, and data on articles, among other information of high value to attackers.

LADBible Group, a subsidiary of LBG Media, is a British digital publisher targeting youth, with websites like UNILAD, GAMINGbible, and Tyla, among others. As per its website, the group boasts a global audience of almost 1 billion people.

The Cybernews research team recently discovered an unprotected 4GB-strong database with information on LADBible’s employees and business information. While the information might not seem very sensitive at first glance, in reality, it could have serious implications for the company and its employees.

LADbible data leak

Our researchers stumbled upon an open ElasticSearch instance containing internal data belonging to the LADbible Group. It contained the following information:

  • Leaked employee emails, including 280 that belonged to employees of all their brands: LADbible, GAMINGbible, SPORTbible, UNILADadventure, UNILADtech, UNILAD, ODDSbible, UNILADsound, and Tyla.
  • Links to employee social media profiles.
  • Current employee access roles – making those with more permissions within the company much more lucrative targets.
  • Employee device IDs.
  • Access to TheLADbible Group’s EMS (Microsoft Enterprise Mobility + Security) system login panel. The EMS system is most often used to control all employee devices, servers, provide threat protection, and remote administration tools even though we can’t discern how LADbible used it.

“Although the leaked data may initially appear unremarkable, it's important to emphasize that obtaining this data through public channels would prove exceedingly challenging. This underscores the heightened reliability of the data we've stumbled upon,” researchers said.

LADbible data leak proof

It makes a good starting point for an attacker wishing to inflict reputational and financial damage on the victim since “having access to this Elasticsearch instance would have provided an accurate and up-to-date list of employees, their emails, and access roles, among other things”.

Cybernews reached out to the media representatives for an official comment but has yet to hear back from them. The dataset, on the other hand, has been secured.

The aftermath

Upon first inspection, the data leak might not seem that sensitive. However, trying to source such information online would be difficult, if not impossible, and not as reliable as getting it from the primary source.

Second of all, the EMS system being publicly accessible without IP restrictions is a security issue since, as per our researchers, it would most likely have privileged access to employee devices and other internal servers.

“It’s crucial that this system doesn’t fall into the wrong hands.” Cybernews researchers said, and listed a number of serious repercussions that could result from attackers gaining access to the Domain Controller, a crucial part of Active Directory:

  • Attackers could gain control of all devices within the organization, including encryption and decryption of device data storage.
  • Attackers could install additional software on devices, add and remove users.
  • Attackers could change passwords and security policies.
  • Attackers could mark a malicious code as bening to bypass threat protection systems.

Mitigation in a nutshell

Our researchers prepared a comprehensive list of mitigation steps that the LADbible Group, as well as any other company facing a similar issue, should take.

Publicly accessible EMS authentication panel

  • The EMS authentication panel is used to verify access to a resource on the Azure Active Directory (ADD) domain, or to the whole network managed by ADD.
  • The login panel being publicly accessible allows for remote attackers to attempt to authenticate to the Active Directory resource or network.
  • 2FA is enabled by default on ADD, meaning it would be more difficult for attackers to breach systems.
  • TheLADbible Group should ensure that Active Directory resources are only accessible from a trusted network., and that such panels cannot be accessed from any internet connected device.

Leaked employee email addresses, social media handles, user roles and device IDs

  • In the context of the EMS system, email addresses serve as partial credentials for logging into the system, as well as contact addresses for communications regarding password resets or any other communications in relation to the EMS system.
  • Social media handles most likely do not serve a significant purpose. User roles describe the level of access a user has, as well as what rules may be applied to their device as well as their account.
  • Device IDs help identify and direct requests to and from that employee’s work device.
  • Leaked email addresses can be used for phishing those employees with the most access, as this is also described in the user roles. Since the authentication system is configured securely (employees are asked to use 2FA when signing in), attackers may attempt to send cookie-stealing malware, among other things.
  • The EMS login page should be made only accessible from trusted networks, and system administrators should ensure that employees change their passwords (in case some of them use previously leaked passwords as their EMS password). They should also check that MFA is enabled and required for all employees, ensure that their authentication configuration is “hardened,” authentication cookies expire in a reasonable period of time, and that their EDR and XDR services are working correctly with “hardened” configurations.