misconfigured Amazon Web Services S3 bucket. Reportedly, this bucket was unprotected and open to public access, which led to 10 GB worth of visitor data exposure.
The bucket was discovered on Sep 2nd, and WSpot was notified on Sep 7th, after which the company was able to secure it immediately. The Brazilian company confirmed that its servers remained intact and threat actors didn’t invade them.
SEE: Brazilian marketplace integrator Hariexpress exposed 1.75 billion records
Furthermore, there’s no indication that unauthorized third parties accessed the exposed information. The company states that it has hired a security firm to investigate the incident.
What Was Exposed?
Around 226,000 files got exposed in this data leak. The leaked information included personal details of at least 2.5 million users who connected to WSpot’s client’s public WiFi networks.
Moreover, according to SafetyDetectives’ analysis, the exposed information included details of individuals who accessed the WiFi service of the companies, which includes full name, full address, email address, and taxpayer registration numbers, and plain-text login credentials created by users when getting registered to the service.
In their blog post, SafetyDetectives explained that:
“We discovered two different file types exposed on the open database — SMS logs and guest reports. There may be more information exposed that was not visible in our sample data. 84MB of files containing SMS logs were found on WSpot’s database. There were an estimated 280,000 total log entries of this type. SMS logs leaked two forms of personal and confidential visitor data. This data belongs to the people that connected to each WSpot client’s WiFi.”
WSpot Confirmed the Leak
According to ZDNet, WSpot has confirmed the leak. The company explained that the leak was caused due to insufficient “standardization in the management of information,” which was stored in a specific folder. The company further noted that it is already addressing the issue since SafetyDetectives notified it and technical procedures were completed on Nov 18.
SEE: Brazil’s cosmetic giant Natura leaked 192m records with payment data
A company spokesperson shared that they haven’t yet contacted the National Data Protection Authority regarding the incident and that WSpot will address all legal issues. It is also unclear whether the company notified impacted users or not.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.