Cybernews
  • News
  • Editorial
  • Security
  • Privacy
    • What is a VPN?
    • What is malware?
    • How safe are password managers?
    • Are VPNs legal?
    • More resources
    • Strong password generator
    • Personal data leak checker
    • Antivirus software
    • Best VPN services
    • Password managers
    • Secure email providers
    • Best website builders
    • Best web hosting services
  • Follow
    • Twitter
    • Facebook
    • YouTube
    • Linkedin
    • Flipboard
    • Newsletter

© 2021 CyberNews - Latest tech news, product reviews, and analyses.

Our readers help us create quality content. If you purchase via links on our site, we may receive affiliate commissions. Learn more

Home » Security » Marketing agency for NFL, Mastercard, MLB and Soundcloud exposes clients’ sensitive data

Marketing agency for NFL, Mastercard, MLB and Soundcloud exposes clients’ sensitive data

by Bernard Meyer
14 October 2020
in Security
0
Marketing agency for NFL, Mastercard, MLB and Soundcloud exposes clients’ sensitive data
20
SHARES

CyberNews recently discovered that the digital marketing agency teamDigital was exposing multiple environment config files which contain sensitive data. By exposing this type of data, teamDigital is putting their own data and the data of their clients – big names like the NFL, Mastercard, Soundcloud, and more – at risk, potentially leading to ransomware, targeted phishing campaigns, and others. 

An environment file (with a filetype .env) is the main configuration file of a web application that contains sensitive data needed for an application to work, including database credentials, email provider credentials, and API keys. For that reason, it should never be made publicly accessible or committed to a Git where it in some cases can be accessed by others. 

Our researchers discovered three separate environment files that contained information to access teamDigital’s Mastercard, SMS tool, and FTP databases, including the League of Legends-related MasterCardNexus Twitter API keys, which would allow a cybercriminal to control much of that account. 

We notified teamDigital of the exposed files immediately when we discovered them on October 9, 2020, and they reported to CyberNews that the issue was addressed the same day. A request for comment from teamDigital was not returned by the time of publishing. 

Who is teamDigital?

These environment config files belong to the digital marketing agency teamDigital Promotions, Inc. located in Connecticut. Besides digital marketing, teamDigital also provides services related to legal compliance and administration, plus engagement solutions and platforms. According to teamDigital’s website, its clients include such top brands as:

  • NFL
  • MLB 
  • Carnival Cruise Line
  • Mastercard
  • NASCAR
  • Xfinity
  • WNBA
  • Soundcloud
  • The 100-year-old clothing brand New York & Company

League of Legends, Mastercard and teamDigital client data exposed

Due to misconfigured environment files, CyberNews was able to access the data of some of teamDigital’s clients. It appears that teamDigital is using Egnyte, which is a cloud platform for sharing files, and whose website promises “a unified platform to govern and secure content everywhere.”

Due to the misconfiguration, anyone was allowed to view multiple environment config files, including:

  1. teamDigital’s FTP env file. We were able to view teamDigital’s FTP username and plaintext password. This file also contains the MastercardNexus (@mastercardnexus) Twitter API keys. MastercardNexus is the official Twitter account for @LoLesports for League of Legends, arguably the most popular esports title currently available. 
  2. teamDigital’s SMS Tool env file. We were able to view teamDigital’s MySQL database username and plaintext password, its AWS access key and ID, and other related accounts.
  3. Mastercard Privacy API env file. Although we are unsure what this file is related to, it contains, again, plaintext MySQL database credentials, API keys, and other data related to Mastercard.

Example from teamDigital env file for its SMs tool:

Example from teamDigital’s FTP and MastercardNexus file

Example from teamDigital’s FTP and MastercardNexus file:

Example from teamDigital’s FTP and MastercardNexus file

What’s the impact of the teamDigital exposed files?

The true scope of the teamDigital environment config exposure would only be ascertained by accessing the various databases and understanding what permissions are granted, what data is contained in the FTP server, and so on.

However, we refrained from doing so based on legal and ethical reasons. Nonetheless, we can estimate the impact of the exposed files by looking at each in turn.

The FTP credentials and MastercardNexus Twitter API keys

If cybercriminals were to use the FTP details contained in the first env config file, they would be able to access teamDigital’s FTP server. While we can’t be certain what data is contained there, it is possible that it houses sensitive information about teamDigital’s business and its long list of popular clients, including the NFL, MLB, WNBA and others. What kind of data could a digital marketing agency have related to those brands? Most likely similar Twitter API keys, as well as other social media credentials. There may also be private, marketing-related materials that those brands would like to keep from the public eye.

Beyond that, with the MastercardNexus Twitter API keys, a cybercriminal would be able to access that account and tweet various messages, for example, during a League of Legends esports competition, such as the ‘Worlds’ championship that is currently in full swing. These could be similar to the cryptocurrency tweets of the Great Twitter Hack from July 2020, where multiple Twitter verified accounts tweeted out bitcoin-related scam messages. Seeing as Mastercard is a leading financial institution, these tweets might prove convincing.

teamDigital’s SMS tool and Mastercard Privacy

For these two env config files, we’re less confident about what could be done with the data contained there. First of all, teamDigital provides no real information that it even has an SMS tool. Nonetheless, it does have the MySQL database and AWS account credentials in the file, as well as the credentials for another service. With these, cybercriminals can access, steal and potentially manipulate those files.

Similarly, we are unsure what the Mastercard Privacy API env config file relates to. Cybercriminals would certainly be able to figure it out by accessing the MySQL database. Nonetheless, we believe this is related to teamDigital’s “legal compliance and administration” services, with multiple API get and post URLs provided in the file.

Next steps

We disclosed the issue to teamDigital on Friday, October 9, 2020 when we discovered it. On the same day, teamDigital reported to CyberNews that the issue “has been addressed.” We confirmed that the environment files were no longer accessible.

In general, then, we can provide the following important steps to ensure your data is safe:

  1. For developers, at teamDigital and elsewhere, make sure that your .git and .env folders are not publicly accessible, and that your repositories are not visible. Even then, you should avoid committing sensitive keys and files to the repository
  2. If you are a client of teamDigital or a company connected to it, make sure to check your online accounts for any strange behavior. You should also review the communications between your company and teamDigital to see if any sensitive details were exchanged.
  3. Lastly, for users, depending on what social media credentials might have been exposed, make sure to be critical of suspicious tweets or other social media posts, even if those accounts are verified.

Protect yourself online with our hand-picked digital privacy tools

Password managers

  • Are password managers safe?
  • Best password managers
  • Dashlane review
  • NordPass review
  • LastPass review

Antivirus software

  • Best antivirus software in 2021
  • Bitdefender antivirus review
  • TotalAV antivirus review
  • Malwarebytes review
  • ESET antivirus review

VPN

  • What is a VPN?
  • Best VPN services in 2021
  • NordVPN review
  • Surfshark VPN review
  • ProtonVPN review
Share20TweetShareShare
Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Editor's choice

500M LinkedIn user records sold on hacker forum
News

Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof

by CyberNews Team
6 April 2021
5

We updated our leak checker database with more than 780,000 email addresses associated with this leak...

Read more
LinkedIn, FB, Twitter, Clubhouse apps seen on an iPhone

Recent Facebook, LinkedIn and Clubhouse leaks explained

15 April 2021
Cheapest tool to kill satellites? A computer

Cheapest tool to kill satellites? A computer

13 April 2021
A gift to criminals and tyrants? Soon, wireless devices could become object sensors

A gift to criminals and tyrants? Soon, wireless devices could become object sensors

13 April 2021
“Not ideal” from a privacy standpoint: Clubhouse API lets “anyone” scrape public user data

“Not ideal” from a privacy standpoint: Clubhouse API lets “anyone” scrape public user data

12 April 2021
  • Categories
    • News
    • Editorial
    • Security
    • Privacy
  • Reviews
    • Antivirus Software
    • Password Managers
    • Best VPN Services
    • Secure Email Providers
    • Website Builders
    • Best Web Hosting Services
  • Tools
    • Password Generator
    • Personal Data Leak Checker
  • Engage
    • About Us
    • Send Us a Tip
    • Careers
  • Twitter
  • Facebook
  • YouTube
  • Linkedin
  • Flipboard
  • Newsletter
  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews - Latest tech news, product reviews, and analyses.

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.
Subscribe For Security Tips And CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!
Our Privacy Policy and Terms & Conditions

Home

News

Editorial

Security

Privacy

Resources

  • About Us
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.