Remember meForgot password?
    Log in with Twitter

article imageMarketing firm exposes 49 million unique emails Special

By Tim Sandle     Feb 29, 2020 in Technology
Israeli marketing firm, Straffic, exposed 49 million unique email addresses after a misconfiguration in their web server exposed the authentication credentials for an AWS Elasticsearch database. Anurag Kahol of Bitglass looks into the issue.
The compromised database consisted of 140 gigabytes of data, which included contact details consisting of names, phone numbers, and postal addresses. It appears that 70 percent of the emails in Straffic's database were already on data breach notification site Have I Been Pwned, meaning that many of emails did not come from previous breaches.
The issue came to light after a San Diego-based DevOps engineer detected the disclosure, according to TripWire. The main concern stemming from the data breach is that if these data is accessed by hackers, then such sensitive information contained within the database could be utilized by bad actors to launch targeted phishing attacks.
Looking into the issue, Anurag Kahol, CTO of Bitglass tells Digital Journal: "While Straffic is fortunate that a security researcher identified the company’s misconfigured web server, anyone could have scraped the unprotected credentials and accessed Straffic’s AWS Elasticsearch database."
Kahol notes that: "If the 140GB of contact details fell into the wrong hands, impacted victims would have been vulnerable to sophisticated malicious attacks."
In terms of what can be done, Kahol says that "to protect data from unauthorized access, organizations need to deploy step-up, multi-factor authentication (MFA); that way, any suspicious attempt to log in to a public cloud database will automatically trigger a request for additional identity verification."
MFA for cloud resources is a common yet preventable cause of data breaches. As an example, Microsoft reports that an account is 99.9 percent less likely to be compromised.
With another recommendation, Kahol suggests: "Additionally, organizations should look for security solutions that provide agentless real-time protection, offer encryption for data at rest, and enforce restrictions on what can be accessed from new, personal, or mobile devices—limiting the scope of damage or even preventing it entirely."
More about Data breach, Cybersecurity, Email, marketing firm
More news from
Latest News
Top News