Email marketing is big business and many companies rely on emails to keep in contact with their customers or potential customers. In the modern world of over priced pay per click ads targeted email marketing lists are the holy grail of an organization’s marketing strategy. This customer data is equally as valuable as the products or services the company provides.
On January 24th I discovered an open and publicly accessible database that contained millions of records and a massive amount of email addresses. There were references in the database to highinbox.com and that domain directs visitors to a permission based email service provider by the name of Pabbly. I sent a responsible disclosure notice to Pabbly email marketing the same day as the discovery and pubic access was restricted within hours. However, no one from Pabbly replied to the initial notice or additional requests for information.
The records appear to go back to 2014 and contained customer names, email addresses, subject line, email messaging and more internal records like host path and SMTP data. Anyone with an internet connection could have had access to millions of Pabbly email marketing’s customer records. It should be noted that Pabbly also offers email scrubbing where users upload their own lists and they will remove invalid, duplicate email addresses and provide users with a “clean list”.
Here is what we have discovered:
- The database was publicly accessible and anyone could edit, download, or even delete data without administrative credentials.
- Internal logs and records that should not be exposed online.
- highinbox 50.6 Million Records (When reviewing a sample for verification purposes I noticed that nearly each record included email addresses. I can only speculate this could be the scrubbing service)
- sdfdsfsdfsending_email 76.6k
- sending_email 635k
- IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper in to the network.
Exposed Emails are a Spam Goldmine
We can only speculate the risks of this exposure, but it is possible that these emails could be targeted for spam, phishing attempts, or other potentially malicious actions. Spam has always been an industry wide problem that affects everyone and it seems logical that if your email is exposed the risk factors increase. Unfortunately, when emails are exposed legitimate marketing can be exploited for nefarious purposes.
According to an article published by Securelist: In Q1 2019, the average share of spam in global mail traffic rose by 0.06 p.p. to 55.97%, and the Anti-Phishing system prevented more than 111,832,308 redirects to phishing sites, up 35,220,650 in comparison with the previous reporting period.
It is unclear how long the data was exposed or who else may have gained access to it before I responsibly disclosed my discovery to the Pabbly email marketing. It is also unclear if the affected customers or the authorities were notified of the exposure. Pabbly is located in Bhopal, Madhya Pradesh, India. According to their website Pabbly is used by 100K+ businesses that includes Harvard University, The Guardian, Uber and others At the time of publication no reply or statement has been given by Pabbly.