Online marketing company exposes 38+ million US citizen records

The CyberNews research team discovered an unsecured data bucket that belongs to View Media, an online marketing company. The bucket contains close to 39 million US user records, including their full names, email and street addresses, phone numbers and ZIP codes.

The database was left on a publicly accessible Amazon Web Services (AWS) server, allowing anyone to access and download the data. Following the 350 million email leak covered by CyberNews earlier in August, this is the second time this summer we encountered an unsecured Amazon bucket containing such massive amounts of user data.

On July 29, the exposed View Media bucket was closed by Amazon and is no longer accessible.

To see if your email address has been exposed in this or other security breaches, use our personal data leak checker.

What data is in the bucket?

The publicly available Amazon S3 bucket contained 5,302 files, including:

  • 700 statement of work documents for targeted email and direct mail advertising campaigns stored in PDF files
  • 59 CSV and XLS files that contained 38,765,297 records of US citizens in total, of which 23,511,441 records were unique

The user record files were created based on locations and ZIP codes that the marketing company's campaigns were targeting and contained full names, addresses, zip codes, emails, and phone numbers of people based in the US.

Aside from the statement of work documents and user records, the bucket contained thousands of files for various marketing materials, such as banner advertisements, newsletters, and promotional flyers.

Examples of exposed records

Here are some examples of the user records and statement of work documents left on the publicly accessible bucket.

Most of the CSV files contain user records for what we assume to be target demographics for either digital or physical marketing materials.

censored list with emails and phone numbers
censored list with names and addresses

The statement of work documents for marketing campaigns date between 2018 and 2019:

censored document from tribure digital
censored document from gray

Who owns the bucket?

The unsecured Amazon S3 bucket appears to belong to View Media, an online marketing company that specializes in email marketing, display advertising, design, hosting, direct mails, date sales, and other digital marketing services. The company offers targeted marketing services to American publishing brands like Tribune Media and Times Media Group.

Apart from millions of user records, the bucket also contains thousands of marketing newsletters, promotional flyer designs, banner ads, and statement of work documents created by View Media for its clients.

Who had access?

The bucket was hosted on an Amazon AWS server that has been exposed for an unknown period and it is unclear if any bad actors have accessed the data stored therein.

With that said, unsecured Amazon buckets are relatively easy to find and access without any kind of authorization, which means that anyone who knows where to look could have downloaded the files.

What’s the impact?

Even though the files in the unsecured Amazon S3 bucket do not contain deeply sensitive personal information such as social security or credit card numbers, cybercriminals can use the personal details in the database for a variety of malicious purposes:

  • Scammers can use the names, email addresses, and phone numbers of the exposed people for a wide variety of fraudulent schemes
  • Simple contact details can be enough for spammers and phishers to launch targeted attacks against 38+ million exposed Americans from multiple angles, such as robocalls, text messages, emails, and social engineering campaigns
  • Determined cybercriminals can combine the data found in this bucket with other data breaches to build profiles of potential targets for identity theft

What happened to the data?

Because we were initially unable to identify the owner of the unsecured bucket, we contacted Amazon on July 27 to help them secure the database. They were able to close the bucket on July 29.

We then reached out to one of the marketing company's clients mentioned in the statement of work documents that were stored on the bucket, who helped us identify View Media as the owner of the database on August 21. On August 24, we contacted View Media for an official comment regarding the leak. However, we received no response from the company.

Should you be worried and what to do if you’ve been affected?

If you are a US citizen, there is a chance that your data might be exposed in this leak. To see if you have been affected by this breach, we recommend doing the following:

  1. Use our personal data leak checker to see if your email address has been leaked.
  2. If your email happens to be among those leaked, immediately change your email password and use a password manager.
  3. Look out for potential phishing emails and spam emails. Don’t click on anything suspicious, whether it’s an email, a text message, or any link therein.

Protect yourself online with our hand-picked digital privacy tools

Leave a Reply

Your email address will not be published. Required fields are markedmarked