SoftwareProjects exposes substantial customer and affiliate data

Affiliate sales platform SoftwareProjects had nearly 200GB worth customer and affiliate data exposed publicly before being discovered and reported by cybersecurity researcher Jeremiah Fowler. The exposed database contained 257,562 records with images of credit cards, identification documents, personally identifiable information, and other potentially sensitive information.

“There were thousands of documents that disclosed personally identifiable information (PII) of both clients and affiliates,” said Fowler in a blog post. “The database was marked as CDN, which typically stands for a content delivery network or content distribution network.” CDN is where documents and files are stored to speed up the load time of an application, website, or other data-heavy web-based tools, according to Fowler.

Critical customer and affiliate data exposed

The non-password protected database had two folders containing verification documents of clients and affiliates respectively along with a few internal documents. “I saw many internal documents such as invoices, refunds, affiliate payouts, sales and accounting data, and much more,” Fowler said. “The most concerning discovery I saw was approximately 18,000 order verification files that included images of personal identification documents, pictures of individuals holding identification documents, and credit cards from customers worldwide.”

After making the discovery Fowler sent a disclosure notice to SoftwareProjects and was thanked and informed that the access issue to the directories were subsequently resolved by moving all PII data away from public buckets. However, he discovered that the database was still accessible for some time before being restricted.

“In a separate folder, there were verification documents for affiliates,” Fowler added. “These affiliate records could be potentially more sensitive than customer records because cybercriminals would be aware that these individuals are engaged in business activities and could potentially be more valuable targets for theft or fraud.”

Additionally, the database contained a range of other files and documents inside the database, including invoices with customer PII, refund documents, bank transfer records, and .csv files of earnings reports that showed ABA account numbers of affiliates.

Risks include phishing, identity theft, and malware injection

It is unknown how long the data was exposed or if it was ever accessed. Exposed bank accounts and routing numbers could potentially allow criminals to attempt unauthorized bill payments or money transfers, according to Fowler.

The database also consisted of many internal programming files required for the website or application functionality. “Exposed JavaScript (.js) files in a data breach have potential risks and numerous security vulnerabilities,” Fowler said. “If malicious actors have access to these code files, they can potentially identify vulnerabilities and exploit them. The highest potential risk is that attackers could inject malicious scripts or launch attacks like cross-site scripting (XSS) or cross-site request forgery (CSRF).”

As the data contained information such as full names, addresses, dates of birth, and license numbers, it is also possible for attackers to use them for potential identity theft, fraud, or engage in other illegal activities.

Fowler advises suspecting customers or affiliates to monitor credit and debit accounts for proper authorization, apply for new bank cards and account numbers, and consider an identity theft protection service. “I am not implying any wrongdoing by SoftwareProjects or any affiliates, nor do I claim that customers or affiliates were ever at risk,” Fowler said. “I am only reporting the facts of my findings and the real-world risks of this kind of exposure.”

Data and Information Security, Data Privacy, Vulnerabilities

Go to Source