Employees at Dell, AT&T, Verizon, Capital One, and other companies exposed via popular office app


A massive data leak has exposed employees' credentials, affecting around 900 companies and organizations, including Dell, Verizon, AT&T, the Department of Energy, Comcast, and Chase.

On March 25th, 2024, the Cybernews research team discovered a publicly accessible web directory belonging to Maryland-based company Simpli (formerly Charm City Concierge).

The company’s app allows employees of companies renting office space to view stores located in the same building. It lists available amenities, workplace perks, and discounts and enables users to order various services and products.

ADVERTISEMENT

The open web directory stored backups made in January 2024 of the company’s website and database of the Simpli app. The leaked app’s backups exposed 10,000 employees’ email addresses and hashed passwords from around 900 companies.

Exposed web directory containing website and database backups.
Exposed web directory containing website and database backups.

Among the affected companies are:

  • Capital One
  • Center for Naval Analyses
  • American BAR Association
  • MicroStrategy
  • Cambridge Associates
  • Dell
  • Verizon
  • Comcast
  • Trans Western
  • WeWork
  • Trustar Bank
  • AT&T
  • National Council on Disability
  • Department of Energy
  • Chase
Order information with notes.
Order information with notes

Since most employees signed up for the Simpli service using their company email addresses, this poses a significant risk. A threat actor could potentially target more sensitive corporate systems that employees have access to by using credential-stuffing attacks.

“While employee credentials were stored in a relatively secure format, the passwords could still be cracked, especially weak passwords,” said Aras Nazarovas, an information security researcher at Cybernews.

“If the employee uses the same password for multiple accounts, the cracked password could be used to log into other, more sensitive, work-related endpoints.”

ADVERTISEMENT
List of buildings and their tenants
List of buildings and their tenants

The leaked database also exposed orders made through the app, some of which contained notes with potentially sensitive operational information. These notes included details about meetings between individuals from different companies and the purposes for their meetings.

The files found in the open directory suggest that the exposure might have happened when the company was migrating its system from Drupal 7 to Drupal 9. Cybernews has reached out to Simpli, but we have not yet received a response.

User credentials
User credentials

Risk of supply chain attacks

The current leak underscores the inherent risks of using third-party services that might pose a risk of supply chain attacks. During such a cyberattack, threat actors search for weaker elements within a supply network instead of directly targeting a company.

By breaching one supplier, attackers can potentially impact the company that uses that supplier's products or services. Extracted credentials from third-party providers could be extremely useful for malicious actors who have already targeted a company.

The retailer Target suffered a stark example of such an attack. In 2013, a malicious actor potentially breached Target’s refrigeration, heating, and air conditioning subcontractor, Fazio Mechanical, to spread malware to most of Target’s point-of-sale devices. Reportedly, the malware collected the financial details of approximately 40 million debit and credit cards.

Companies and organizations that provide third-party services should be alert to cybersecurity matters, as they might be targeted by attackers looking for bigger fish.

ADVERTISEMENT