TheSafetyDetectivesresearch team discovered a significant data leak affecting the Brazilian software company WSpot.
Who Is WSpot?
The product is a WiFi management software.
SMS logs contain emails and passwords in plain text
It provides added security and control for businesses that allow guests to connect to their WiFi without a password.
Amazon does not manage WSpots server and isnt responsible for its configuration.
We discovered two different file types exposed on the open database SMS logsandguest reports.
Guest reports contain a range of PII
There may be more information exposed that was not visible in our sample data.
84MB of files containingSMS logswere found on WSpots database.
There were an estimated 280,000 total log entries of this pop in.
Certain guest reports leak dates of birth and question answers.
An estimated 2.5 million Brazilian citizens may be affected by this data breach.
SMS logsleak account credentials.
These records show messages containing plaintext login details information sent to people who were registering their WSpot accounts.
This practice is referenced as a feature on WSpots website (credentials via SMS).
you’re able to see evidence ofSMS logsin the screenshot below.
you’re able to see evidence ofguest reportsin the following image.
This information was likely collected by WSpots software to create a database of visitors.
you could see evidence ofguest reportsthat featurevisitors answersbelow.
Certain guest reports leak dates of birth and question answers.
The following table provides a full breakdown of this data breach.
The SafetyDetectives research team found the server on September 2nd, 2021.
WSpots unprotected Amazon S3 Bucket was live and being updated at the time of discovery.
We cannot know whether hackers have accessed the server.
In this case, Brazilian citizens, WSpot clients, and WSpot must understand the risks they may face.
Brazilian Citizens
First and foremost, the guests of WSpot clients have had their data exposed.
The affected parties all reside within Brazil, which is where WSpot offers its services.
Affected citizens could facescams,phishing attempts, andaccount takeovers.
WSpots database leaked the email addresses and phone numbers of Brazilian citizens.
As such, bad actors could contact people to target them with scams and fraud.
Attackers could launch popular scams using visitor PII to appear trustworthy.
Similarly, hackers may target leaked citizens with phishing attacks.
Phishers will often use this information to supplement scams, fraud, and various other cybercrimes in the future.
Again, hackers could appear trustworthy by referencing the users personal data during initial communications.
They could pose as a representative of one of the businesses exposed on WSpots S3 Bucket.
SMS logs contained SMS messages which, if accessed by criminals, reveal credentials for user accounts.
These leaked businesses could encounter similarscamsandphishing attemptsusing the details of their visitors.
The ultimate goal of the attacker, of course, would likely be to collect information or conduct fraud.
Business espionageis another possibility.
WSpot could face various penalties and damages as a result of this data breach.
However, Wspot may come under the scrutiny of LGDP for leaking user data.
Brazils General Data Protection Law is officially known as Lei Geral de Protecao de Dados (LGPD).
This law came into effect in late 2020.
Companies that mishandle the data of Brazilian citizens may have to pay sanctions.
WSpot could potentially experience a loss of business due to this data breach.
This is quite a common occurrence for companies that suffer a data leak.
Companies can lose trade from any system downtime related to a data breach.Reputational damageis another possibility for WSpot.
Data breaches are not seen in a positive light by other businesses and members of the public.
Data security is an aspect of WSpots service, too, which may be undermined by this data breach.
Current clients could cease trade with WSpot due to concerns about the security of their data.
Potential clients may choose a rival business over WSpot for the same reason.
Wspot clients could be open to using a new solution for the above-mentioned reasons.
Rival businesses could also contact WSpot posing as one of the companys clients or indeed a fellow WSpot employee.
Callers could reference clients to build trust.
Preventing Data Exposure
What can we do to protect our data and minimize the risk of cybercrime?
For a full review of SafetyDetectives cybersecurity reporting over the past 3 years, followSafetyDetectives Cybersecurity Team.
