According to cybersecurity firm WizCase, a terabyte of data containing 5.5 million records has been left exposed, exposing the personal information of more than 100,000 clients of a Colombian property company.
Ata Hakçl and his team discovered the vulnerability in a database maintained by Coninsa Ramon, a firm that specializes in design, construction, construction, and real estate services. The researchers stated in an exclusive study published with The Hacker Information that “there was no need for a password or login requirements to view this data, and the knowledge was not encrypted.”
The information leak is the consequence of a misconfigured Amazon Web Services (AWS) Simple Storage Service (S3) bucket, which exposed sensitive information and facts such as clients’ names, pictures, and addresses. The information in the bucket includes everything from invoices and earnings files to pricing and account statements from 2014 to 2021.
Full names, phone numbers, email addresses, residence locations, estate payout amounts, and asset valuations are all included in the data. Furthermore, the bucket is said to include a database backup with additional data such as profile photos, usernames, and hashed passwords. Worryingly, the researchers discovered damaging backdoor code in the bucket, which could be used to gain persistent access to the website and redirect unwary visitors to fake web pages.
It’s unclear whether or not these materials were used in any marketing effort by bad actors. Coninsa Ramon H did not respond to email questions regarding the vulnerability from The Hacker News.
“Based on a sampling of the files, the misconfiguration revealed $140 to $200 billion in transactions or at least $46 billion in the once-a-year transaction history,” the researchers stated. “To put things in context, that’s roughly 14% of Colombia’s whole economic climate.”
The highly confidential nature of the data contained in the databases makes it vulnerable to phishing attacks and a variety of fraud or fraud pursuits, such as duping customers into making additional payments or, even worse, exposing additional personally identifiable information by tampering with the website’s backend infrastructure.