The CyberNews research team discovered an exposed database belonging to Maropost, a marketing automation platform that operates offices in the US, Canada, and India.
Maropost provides solutions including email “marketing, commerce, service, clienteling, and referral” to companies across the world. The company’s 10,000+ clients include such big names as the New York Post, Shopify, Fujifilm, Hard Rock Café, and Mother Jones.
The database in question contains what appears to be close to 95 million individual customer email records and email logs left on a publicly accessible server.
What was in the database?
The unsecured database contained email logs that were apparently related to Maropost’s marketing campaigns, including:
• 19,214,884 unique email IDs that were used in a total of 95 million records, including the apparent addresses of the company’s clients and their customers
• Email logs contain relevant metadata, such as the exact date and time the emails were sent, who sent them and to whom
This means leaving the database in the open might have resulted in the exposure of presumably the entire Maropost email marketing client base, as well as the customers of those clients.
Click HERE to see if your data has been leaked.
Example of leaked record:
At this point, the database appears to have been closed and is no longer accessible.
Who had access?
The exposed Maropost database was hosted on a Google Cloud server and located in the US. While we don’t exactly know for how long the database was left out in the open, we presume that anyone could have access to its contents during the exposure period.
What’s the impact?
The data found in the Maropost database can be used in a variety of ways against the people whose email addresses were exposed:
• Carrying out targeted phishing attacks that can result in identity theft cases numbering in the millions
• Blackmailing Maropost’s clients by threatening to hand over their marketing lists to the competition
• Spamming 19 million email IDs
• Brute-forcing the passwords of these email addresses
While the leaked database does not appear to contain truly sensitive information like social security numbers or credit card details, even an email address can be enough for an attacker to cause real damage.
For example, hackers can combine the exposed email addresses with data from other breaches to make more comprehensive pictures of their potential victims and stage phishing and social engineering attacks or engage in identity theft. This particular leak could make the email IDs especially useful – if the attackers know that their victims are subscribed to marketing emails from Shopify or New York Post, they will know exactly who to send the scam email to, when to send it, who to impersonate and what to say to make the victim take the bait.
Maropost’s serious lack of customer service
If you try to find information online about Maropost’s CEO, Ross Andrew Paquette, you’ll see him on multiple websites talking about the secret to their success: customer service.
But after our experience trying to notify Maropost of their database breach, we discovered just how wrong that storyline was.
We went through multiple channels to get in touch with literally anyone at Maropost who could escalate this issue, and for two entire months, we failed on every single channel. In fact, this journey of simply trying to contact any responsible person at the lauded marketing company began to create a story in and of itself, one of a company focused on presenting a good face, but seemingly lacking even the most basic of communication capabilities.
All our failed communication attempts
Channel 1: email
As always, we first try to notify the responsible parties via email. We sent a message on January 30 over to their privacy and support emails, but received nothing back.
Channel 2: live chat
Since email didn’t work, we went ahead and tried to get the contact information for the responsible person via their live chat. Either that, or we hoped that their customer support staff – which the CEO Paquette praises – would be able to escalate the issue.
Instead, their customer support agent closed the chat immediately after our disclosure notice and we got ignored again.
Channel 3: Twitter
Then, we decided to contact both Paquette and Maropost on Twitter. Everyone’s on Twitter, right, especially a storied marketing agency such as Maropost?
Guess not – we got ignored, again:
Channel 4: LinkedIn
At this point, we’re scratching our heads. Nonetheless, we wanted to be responsible in disclosing this open database to Maropost. Scouring other channel options, we saw that Maropost’s CTO, Jagdeep Singh, is on LinkedIn, and we thought – why not? The CTO of a marketing company sounds like a person who’d most likely want to know about an open, unsecured database.
Again, guess not. Our message and connection requests (with the open database disclosure information attached) got ignored.
You’re starting to see the trend here.
(At this point, we decided to notify CISA, part of the Department of Homeland Security that handles vulnerability issues for the US. This wasn’t going to be our first choice, but seeing as no one at Maropost seemed to be checking their emails, customer support, or social media, we decided to notify other authorities.)
Channel 5: email, part 2
Our email attempts for their privacy and support emails didn’t succeed, so we looked for other avenues. We then sent an email to the following inboxes:
- info (the general email that should be checked from time to time)
- ross (the CEO’s email address)
- abuse (the email address to report abuse, we assumed)
By now, you can guess what happened: nothing. No responses, five channels down.
So what was to be our next step?
Channel 6: an actual phone call
Yes, in this day and age, in early 2020, we did something that people rarely do: we called them. We physically dialed a phone number into a physical phone and tried to physically speak with our voices to people on the other line.
We tried their general help line (press ‘0’) and we tried their client hotline (press ‘2’). Then we tried both options again, later in the day.
Again, nothing. No one picked up the phone at any time. We began to wonder if Maropost, as a company, even still existed.
Channel 7: live chat, part 2
Exhausted, we decided to try their live chat again. This time, fortunately, we got a real human being to talk with us. The agent informed us that “the concerned team is unavailable as of now”. Eventually, they promised to escalate the issue and get back to us with any updates.
We’re still waiting for that email update, by the way.
And, as we later found out, CISA sent two notifications to Maropost’s hosting company on our behalf. What exactly is going on at that company?
Channel 8: email, part 3
On April 1, 2020, two months after the multiple unsuccessful communication attempts, we finally got a reply from Maropost CEO Ross Andrew Paquette. According to Maropost, the email addresses in the database were randomized data the company uses for internal testing.
However, our own tests show that not to be the case. At the very least, the email addresses appear to real and deliverable.
Another day, another data breach?
With reports of millions of user records being exposed becoming a monthly or even weekly occurrence, even a 95 million-record-strong data leak can seem not that surprising. Which is why the Maropost leak is yet another reminder that even after what could have been a record-breaking year for data breaches, data protection still needs to be higher on the priority list for many organizations.