Leaks such as these are easily avoidable, suggest researchers
An upcoming B2B sales and marketing company leaked personally identifiable information (PII) of up to 126 million US citizens, according to cybersecurity researchers.
Researchers at vpnMentor discovered an unsecured database on Amazon’s cloud computing platform AWS, which they traced back to the US-based marketing company OneMoreLead.
vpnMentor argues that the information in the database, which included email addresses, home address, and phone numbers, and more could easily have been used to perpetrate identity theft, financial fraud, or be used to devise effective phishing campaigns.
Furthermore, the database also contained job titles, name of the employer, and work contact details of the individuals, which vpnMentor believes could be used to conduct business email compromise scams.
While OneMoreLead were quick to protect the database once alerted, vpnMentor has also raised questions about the origins of the data.
According to vpnMentor’s report, OneMoreLead claims to have over 40 million clients, although it doesn’t list them on its website. Furthermore, vpnMentor says the company started in 2020 and it’s “unlikely they collected data from 126 million people since opening in 2020.”
Interestingly, vpnMentor says that the exposed data bears an uncanny resemblance to a leak originally linked to German B2B marketing company Leadhunter in 2020, who, back then, had denied ownership of the leaked data.
In any case, the researchers suggest that such leaks from unprotected databases are becoming more common.
“However, any leak like this could be easily avoided with some basic security measures taken including securing servers, implementing proper access rules, and never leaving a system that doesn’t require authentication open to the internet,” suggest vpnMentor researchers, Noam Rotem and Ran Locar.