Marketing Firm Straffic Exposed 49 Million Emails On Unsecured Server

This time the firm is an Israeli marketing company Straffic who exposed 49 million emails via an unsecured database. Though, the firm called the breach a vulnerability.

Straffic Exposed 49 Million Emails

Reportedly, Israeli marketing firm Straffic has exposed millions of emails via an unprotected server. The leaky database had around 49 million unique emails that totaled up to 140GB bearing explicit contact details.

As elaborated in a post, the unsecured instance first caught the attention of a researcher with alias 0m3n on Twitter. The researcher found that Straffic left the credentials for an unprotected Elasticsearch database online. Thus, anyone could access the information contained within without hassle.

He told the Information Security Media Group that he became curious about the server after receiving a spam message. Scratching the surface revealed to him a .ENV file on a related webserver that pointed to the Elasticsearch database.

I have been getting spam text messages for the past two years from random phone numbers with similar messages containing links to gibberish domains. I decided to take a look at one and found a .env file on the webserver of one of the domains in said messages which was a config file that pointed to an AWS Elasticsearch instance.

According to ISMG analysis, the exposed information included names, genders, email addresses, physical addresses, contact numbers, but not for all records. Besides, the researcher could also see Laravel logs on the database for a Straffic app.

However, the researcher also shared his discovery with Troy Hunt of Have I Been Pwned, who could see 49 million unique email addresses in the database. While he confirmed that 70% of those emails were already present in the HIBP records, still the remaining new entries form a huge number.

Not A Vulnerability. Rather, Misconfiguration…

After this discovery, Straffic swiftly secured the leaky database. They also formally announced the breach, however, in a shady manner, calling the misconfiguration a ‘vulnerability’. As stated in their notice,

We’ve been reported that security vulnerability has been found on one of the servers we use to provide our services.

Nonetheless, they confirmed they addressed the ‘weakness’.

We confirmed a weakness did exist and promptly patched it, in addition to fortifying our existing security protocols. As of now, all systems are secure and we did not find evidence of any data misuse or data loss.

Troy Hunt said this was a ‘worst disclosure’ since it included no specific details.

It offers nothing of substance regarding what data was exposed, when the vulnerability was introduced, when it was fixed, how many people were impacted and indeed if they’re even being notified. Then there’s the comment that ‘it is impossible to create a totally immune system’, which appears to serve no purpose than attempting to excuse their failure to secure the system.

Let us know your thoughts in the comments.

Related posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

ZenHammer Memory Attack Exploits Rowhammer Against AMD CPUs