An unusual web interface belonging to the Heartbeat monitoring service was discovered by security researcher Bob Diachenko.
The publicly accessible instance contained graphs and descriptions, to which the graphs were supported by a MongoDB-sourced data.
Additionally, the database itself was set on public and hosted on the same IP where the Heartbeat instance was.
Following an investigation, Diachenko concluded that the data was part of the Whirlpool cloud infrastructure. The database was utilised by the company to collect information from IoT connected home appliances, such as; customer emails, smart appliance IDs, model names and numbers, and different attributes of the scanned appliance etc.
Diachenko notified the Whirlpool security team and within 24 hours the database and the service instance was pulled offline.
Whirlpool provided Diachenko with the following statement:
“Our company was recently made aware of a potential security concern with respect to one of its databases. The database was immediately taken offline and secured.
“Our investigation showed that 48,000 emails were publicly available – but no confidential information was exposed. We are in the process of reaching out to impacted consumers. Our company appreciated this notification so the issue could be quickly addressed.”
The post #Privacy: Experts identify Whirlpool as owners of exposed database appeared first on PrivSec Report.