Exclusive: PR software firm exposes data on nearly 500k contacts
Written by Greg Otto
Dec 9, 2019 | CYBERSCOOP
A company that sells content management software and services exposed data on 477,000 media contacts, including 35,000 hashed user passwords, to the public internet.
In October, iPRsoftware, a U.S.-based company that specializes in software that manages and disseminates company public relations and marketing, was discovered to be exposing the data along with administrative system credentials and assorted documents.
Among the documents were marketing materials for client companies, as well as credentials for the company’s Google and Twitter accounts and a MongoDB hosting provider. A MongoDB spokesperson told CyberScoop that the database was hosted by Compose IBM.
“This is a sunset third-party service that was never owned or maintained in any way by MongoDB Inc.,” the spokesperson said.
Chris Vickery, director of cyber risk research at UpGuard, first contacted the company about the exposure in October. Despite the company’s acknowledgement of the issue, Vickery observed that over the next week, the only thing that changed was the appearance of a log file for the purpose of reviewing activity related to the open repository.
When contacted weeks later by CyberScoop about the exposure, a company representative said it was in touch with Amazon Web Services about the issue. AWS told iPRsoftware that the repository was in fact exposed to the public internet, and the company made it private on Nov. 26.
iPRSoftware lists NVIDIA, Xerox and Mattel among its clients. Among the companies with information exposed included Nasdaq and Mercury Public Affairs, a lobbying firm that stirred up controversy earlier this year for its ties to Paul Manafort.
iPRSoftware did not respond to questions on whether it had informed its clients of the data exposure.
The exposure shows how third-party risk expands when enterprises need businesses to grasp how to secure the information they are entrusted with.
“The consequences of compromised credentials to social media accounts are well known and can result in blatant defacement or surreptitious private messaging,” Vickery writes in a blog post. “While digital advertising is the core revenue stream for platforms like Google, Facebook, and Twitter, businesses use their online presence to market to customers by distributing information about their products and gathering contact information from potential customers. … When made public, the result is the exposure of information for hundreds of thousands of people attached to or targeted by PR and marketing efforts.”