Over 60 million customer and user registrations from the North American hosting service provider, Cloud Cluster, were exposed in an unencrypted database available to anyone, without a password.
The discovery was made by cybersecurity researcher, Jeremiah Fowler, still in early October this year. Fowler reports that he notified the company as soon as he discovered the exposed data on October 5. However, the company only replied on October 13, thanking the statement:
“Thank you for pointing out the problems with increasing the security of the site. We also take data security very seriously, ”replied the company. However, this vague response does not guarantee that the company has notified its customers and users about the exposure of its data, says Fowler.
The data found contained access credentials for services like WordPress, Magento and MySQL. Data were also available from other operations managed by the Cloud Cluster, such as Mgtclusters, Hyper-v-mart and others.
“These records were accessible to the public and it was not necessary to hack to see the 63.7 million records … If a cybercriminal had access to this information, he could compromise these websites and e-commerce accounts “, says the researcher.
More than 63 million records available without a password
In total, 63,747,966 of exposed records. According to Fowler, the decrypted database containing these credentials was public and in addition to being accessible to anyone from any browser, it did not require a password to access. “Anyone could edit, download or even delete the data, without the need for administrative credentials,” he says.
The data was filled with detailed information: from access records (log), as well as logins, passwords and email addresses of the Magento, WordPress, MySQL platforms that belong to the company’s customers. All in plain text.
With this data, cybercriminals could log into the exposed companies’ systems with valid employee credentials, accessing the Cloud Cluster customers’ backend, as well as accessing the users’ accounts.
Source: Securethoughts.
See the original post at: https://thehack.com.br/provedora-norte-americana-de-hospedagem-deixa-exposto-63-milhoes-de-registros-de-clientes/?rand=48873