2 minutes read

Hosting Provider Exposed 63 Million Records and User Passwords

By
Jeremiah Fowler

Jeremiah Fowler

Hosting Provider Exposed 63 Million Records and User Passwords

On October 5th I discovered a non-password protected database that contained a large amount of monitoring and system logs. There were records indicating data backups, monitoring, error logging, and more. Upon further research, the database appeared to belong to the Texas-based cloud application hosting provider, Cloud Clusters Inc. According to their website, they have 4 data center locations that include: Bend, Oregon, Charlotte, North Carolina, Denver, Colorado, and Dallas, Texas.

I immediately sent a responsible disclosure notice of my findings. Public access was restricted shortly after my notice. No one replied to my first messages and after a second follow-up email on October 13th I received an acknowledgment of my notification that said “Thanks for pointing out the problems to enhance website security. We also take data security very seriously.” It is unclear if Cloud Clusters Inc had notified customers or authorities regarding the exposure.

I saw user/password credentials for Magento, WordPress accounts, and MySql. Magento is an eCommerce platform used to sell products or services and WordPress is a website management system written in PHP. An exposure of login details could have potentially put these accounts and shoppers at risk. Cloud Clusters Inc’s customers could have been targeted by social engineering or spear phishing attempts using the exposed emails and credentials.

It is unclear how long these records were exposed or who else may have had access to this data. As a security researcher, I never circumvent or bypass password protected assets. These records were publicly accessible and no hacking necessary to see 63.7 million records. If a cyber criminal had access to this information it could potentially compromise those sites and eCommerce accounts. I am not implying that customers or visitors to these sites were at risk only raising awareness of what was exposed to anyone with an internet connection. After any security breach, all administrative credentials should be changed immediately including customer passwords or details that were captured in monitoring logs.

  • Client panel and employee login paths and data.
  • 63,747,966 total records exposed.
  • Evidence of Meow bot attack (a malicious script that deletes data).
  • Middleware and build information that could allow for a secondary path for malware.
  • IP addresses, Ports, Pathways, and storage info that cybercriminals could exploit to access deeper into the network.

My full summary of the discovery was published on Secure Thoughts.