A company claiming to provide “the world’s most secure online backup” leaked metadata and customer information in over 135 million records after misconfiguring an online database, Infosecurity has learned.
The team at vpnMentor discovered the privacy snafu as part of its ongoing web mapping project that has already uncovered major cloud data leaks at brands including Decathlon, PhotoSquared and Yves Rocher.
It was traced to Californian-headquartered SOS Online Backup, which claims to be a multi-award winning provider with 12 data centers around the globe. The firm was contacted on December 10 and again seven days later. Although it never replied to the researchers, the incident was mitigated on December 19.
“The exposed database contained over 135 million records, totalling almost 70GB of metadata related to user accounts on SOS Online Backup. This included structural, reference, descriptive, and administrative metadata covering many aspects of SOS Online Backup’s cloud services,” vpnMentor explained.
The trove also included PII such as names, emails, phone numbers, business details (for corporate customers) and account usernames.
“By exposing so much metadata and user PII, SOS Online Backup has made itself and its customers vulnerable to a wide range of attacks and fraud,” warned vpnMentor.
“This database could have been a goldmine for cyber-criminals and malicious hackers, with access to cloud storage highly sought after in the online criminal underworld.”
Aside from the impact of potential reputational damage on the firm, the incident could be investigated by Californian regulators of the new CCPA data protection law, as well as GDPR regulators, if EU citizens’ data is included.
“Finally, the exposed database showed the structure of their cloud-based backup technology, accounts’ systems, and how they work. Hackers could use this information to plan effective attacks and embed malicious software in their system,” vpnMentor suggested.
“This would allow them to steal customer data and files, or attack SOS Online Backup directly.”