Several months ago I discovered a non-password protected database that contained 92 million records. Upon further investigation it appeared to belong to the Cronin digital marketing agency. The exposed server was named “Cronin-Main” and many of the records contained references to Cronin. These records included internal data such as employee and client information. Also included in the dataset was a “Master Mailing List” with direct physical names, addresses, Salesforce IDs, phone numbers, and references to where the leads came from.
We are finally going through a backlog of discoveries and highlighting the potential vulnerabilities and give real world examples the cyber security risks associated with the data breach.
Cronin digital marketing agency was acquired by Horizon Group of North America and has a clients list of well known American brands such as Dunkin Doughnuts, Lego, Henkel, Loctite to mention a few.
Here is what was discovered:
- Total Size: 26.43 GB / Total Docs: 92,711,060
- Exposed records that contained internal logging of client advertisement campaigns, keywords, Google analytics data, detailed information such as session ID, Client ID, device data and other identifying information.
- Login tokens and other security information.
- Internal Cronin employee usernames, emails, and hashed passwords that could be potentially targeted in a phishing attack or used to access restricted areas of the network or password protected records.
- Employee and financial records in the following format: bill_rate”,”department”:”digi”,”department_code”:”technology & innovation”, and other internal recording or logging formats.
- The exposure shows where data is stored and serves as a blueprint of how the service operates from the backend.
- Middleware or build information that could allow for a secondary path for malware. IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper into the network that should not be public.
- This is a database set to open and be visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.