ADVERTISEMENT

Marketing agency for NFL, Mastercard, MLB and Soundcloud exposes clients’ sensitive data

Marketing agency for NFL, Mastercard, MLB and Soundcloud exposes clients’ sensitive data
Bernard Meyer
Bernard Meyer Senior Researcher
Oct 14, 2020 Updated: 28 April 2025 3 min read

Who is teamDigital?

  • NFL
  • MLB
  • Carnival Cruise Line
  • Mastercard
  • NASCAR
  • Xfinity
  • WNBA
  • Soundcloud
  • The 100-year-old clothing brand New York & Company

League of Legends, Mastercard and teamDigital client data exposed

  1. teamDigital’s FTP env file. We were able to view teamDigital’s FTP username and plaintext password. This file also contains the MastercardNexus (@mastercardnexus) Twitter API keys. MastercardNexus is the official Twitter account for @LoLesports for League of Legends, arguably the most popular esports title currently available.
  2. teamDigital’s SMS Tool env file. We were able to view teamDigital’s MySQL database username and plaintext password, its AWS access key and ID, and other related accounts.
  3. Mastercard Privacy API env file. Although we are unsure what this file is related to, it contains, again, plaintext MySQL database credentials, API keys, and other data related to Mastercard.
Example from teamDigital’s FTP and MastercardNexus file
ADVERTISEMENT
Example from teamDigital’s FTP and MastercardNexus file

What’s the impact of the teamDigital exposed files?

The FTP credentials and MastercardNexus Twitter API keys

teamDigital’s SMS tool and Mastercard Privacy

Next steps

  1. For developers, at teamDigital and elsewhere, make sure that your .git and .env folders are not publicly accessible, and that your repositories are not visible. Even then, you should avoid committing sensitive keys and files to the repository
  2. If you are a client of teamDigital or a company connected to it, make sure to check your online accounts for any strange behavior. You should also review the communications between your company and teamDigital to see if any sensitive details were exchanged.
  3. Lastly, for users, depending on what social media credentials might have been exposed, make sure to be critical of suspicious tweets or other social media posts, even if those accounts are verified.

Our hand-picked digital services for online presence and privacy

ADVERTISEMENT