The UpGuard Research team has disclosed a data leak originating from iPR Software, exposing the data of hundreds of high-profile entities.
UpGuard researchers discovered an Amazon S3 storage bucket named “cms.ipressroom.com” on October 15, 2019. Following an analysis, researchers confirmed that the bucket contained sensitive data and iPR Software were notified on October 24 via phone and email.
iPR Software confirmed that they were aware of the issue and were working to secure the database, however the only observable change was the appearance of a folder called “loganalysis.” The database was finally secured on November 2019, a full month after the notification.
The bucket contained data belonging to clients using iPR Software’s platform, including 477,000 media contacts, 35,000 user password hashes, business entity account information, assorted documents, and administrative system credentials.
“The Amazon S3 storage bucket contained a large collection of files, some of which were configured for public access, totaling over a terabyte in size,” said researchers in a post. “In addition to the database files, the storage bucket contained documentation from iPR developers, documents which appear to be marketing materials for client companies, and credentials for iPR accounts on Google, Twitter and a MongoDB hosting provider.”
The large organisations exposed included CenturyLink, Forever 21, Dunkin’ Donuts, California Courts, Nasdaq and Mercury Public Affairs, a firm relevant to the Rick Gates and Paul Manafort investigations.
“As a large PR and marketing provider, iPR would generate and manage a centralized collection of that kind of data for their clients,” said researchers. “When made public, the result is the exposure of information for hundreds of thousands of people attached to or targeted by PR and marketing efforts.”
The post #Privacy: Marketing & PR platform exposes thousands of users appeared first on PrivSec Report.