vpnMentor’s research team has found a breach in the xSocialMedia database.
Noam Rotem and Ran Locar, our leading cybersecurity researchers, discovered vulnerabilities inmultiple databases operated by xSocialMedia.
Nearly150,00 personal records were exposed, but that’s not all they found.
This included deeply personal medical testimonies, identifying information, and contact information for users.
According to their website, they create Facebook ad campaigns for230+ clients.
Their ads have generated over 16,000 leads.
Examples includehttps://ied-fund.injury-check.comandhttps://ivcfilter-risk.injury-check.com.xSocialMedia lists 10 different kinds of injury lawyers that they work with.
We could access almost150,000 responsesto these forms.
The lead above shows data that a US veteran submitteddescribing their combat injuries.
Employers, for example, may not know an employee is suffering from PTSD.
This submission included deeplyprivate symptoms that this person is still suffering as a result of their surgery.
Using the information provided in the database,we could easily find their social media accounts and location.
Though they did not submit their address,the inclusion of an IP address is enoughto discover their location.
Here’s another entry that came from a veteran.
This is for a case about malfunctioning earplugs.
The extent of the veteran’s injury may not be something they disclose to everyone.
xSocialMedia didn’t just leak private data regarding their leads.
Their database alsoleaked their own bank account informationin invoice records they sent to clients.
We could also see theirclients' names addresses, phone numbers, and email addresses.
The amount of data that is easily accessed through xSocialMedia’s database doesn’t stop there.
We can see more than300 different clientswho are collecting data to make it build lawsuits.
We can view the code for their website forms, as well asmetrics for their Facebook ads.
Most companies don’t disclose specific metrics per campaign.
Practitioners and other healthcare providers cannot release any identifying information about their patients without written permission.
These laws canprotect patients' welfare, their families, and their jobs.
Healthcare providers cannot even confirm a patient to an outside party without a release.
Based on the testimonies recorded in xSocialMedia’s database, many of these people were recording theirprivate medical issues.
Some may worry about beingshamedfor their medical conditions, or evenblackmailed.
Moreover, these individuals can bereadily traced due to the identifying information linkedto their testimonials.
A malicious actor could exploit this information to assess the security of their other accounts.
Discovering that their data was leaked without permission could easily add to their trauma.
xSocialMedia should havetaken more care to secure their databasesbefore they began collecting private medical information.
xSocialMedia specifically focuses its Facebook ad campaigns on themedical malpractice industry.
It’s abreach of ethicsto not have higher security measures in place from the start.
Furthermore, this data leak doesn’t just hurt those suffering from medical malpractice.
It hurts xSocialMedia’s business as well.
Future law firms may be less inclined to work with a company that experienced such a widespread breach.
How We Discovered the Breach
vpnMentor’s research team found the breach througha web-mapping project.
Headed by Ran and Noam, the team scans ports looking for familiar IP blocks.
They use these blocks to find holes in a company’s web system.
Once these holes are found, the team looks for vulnerabilities that would lead them to a data breach.
Using their expertise, theyexamine the database to confirm its identity.
Once we’ve found the leak,we hit up the company to alert themto the data breach.
When possible, we also notify those affected by the leak.
We do this tomake the internet safer for all users.
Advice from the Experts
This data leak could have easily been avoided.
About Us and Previous Reports
vpnMentoris the worlds largest VPN review website.
We recently discovered a hugedata breach impacting 80 million US households.
Pleaseshare this report on Facebookortweet it.
just, comment on how to improve this article.
