Blog

Digital Marketing Agency Exposed 92 Million Records Online Including Employee and Client Data.

Jeremiah Fowler November 24, 2021 0 1 min read

Several months ago I discovered a non-password protected database that contained 92 million records. Upon further investigation it appeared to belong to the Cronin digital marketing agency. The exposed server was named “Cronin-Main” and many of the records contained references to Cronin. These records included internal data such as employee and client information. Also included in the dataset was a “Master Mailing List” with direct physical names, addresses, Salesforce IDs, phone numbers, and references to where the leads came from.

We are finally going through a backlog of discoveries and highlighting the potential vulnerabilities and give real world examples the cyber security risks associated with the data breach.

Cronin digital marketing agency was acquired by Horizon Group of North America and has a clients list of well known American brands such as Dunkin Doughnuts, Lego, Henkel, Loctite to mention a few.

Here is what was discovered:

  • Total Size: 26.43 GB / Total Docs: 92,711,060
  • Exposed records that contained internal logging of client advertisement campaigns, keywords, Google analytics data, detailed information such as session ID, Client ID, device data and other identifying information.
  • Login tokens and other security information.
  • Internal Cronin employee usernames, emails, and hashed passwords that could be potentially targeted in a phishing attack or used to access restricted areas of the network or password protected records.
  • Employee and financial records in the following format: bill_rate”,”department”:”digi”,”department_code”:”technology & innovation”, and other internal recording or logging formats.
  • The exposure shows where data is stored and serves as a blueprint of how the service operates from the backend.
  • Middleware or build information that could allow for a secondary path for malware. IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper into the network that should not be public.
  • This is a database set to open and be visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.

Click here to read my full report: 

Tags :

Jeremiah Fowler

View More Posts

Jeremiah Fowler: Director of Security Research, Communications Specialist, Journalist and Cofounder at SecurityDiscovery.com. I care about data protection, privacy, cyber security issues, and responsible disclosure. Contact me: j(at)securitydiscovery.com Twitter: @Yoda69

Burger King’s Online Shop for Kids Exposed Data

Share via: Facebook Twitter LinkedIn More Kool King Shop, (https://www.koolkingshop.fr/), a French-only online shop for kids who purchased Burger King’s […]

May 7, 2019 0 1 min read

A UK-based Security Company Seemed To Have Inadvertently Exposed Its ‘Leaks Database’ with 5B+ Records

Share via: Facebook Twitter LinkedIn More On March 16th I have found an unprotected and thus publicly available Elasticsearch instance […]

March 19, 2020 0 2 min read

Free Wifi User Data Exposed in Multiple UK Train Stations

Share via: Facebook Twitter LinkedIn More On February 14th I discovered a non-password protected database that contained a massive amount […]

March 2, 2020 0 4 min read

US non-profit for international study exposes private documents of thousands of students: report

Share via: Facebook Twitter LinkedIn More The Institute of International Education (IIE), a US nonprofit that focuses on foreign exchange […]

February 13, 2020 0 3 min read
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap