OneMoreLead was storing all this information on an unsecured database, which the company had left completely open.
For example, the clients section was still blank, and the signup button didnt work.
But rare are these times.
Instead, we usually need days of investigation before understanding whats at stake or whos leaking the data.
Furthermore, some affected parties deny the facts, disregarding our research or playing down its impact.
So, we need to be thorough andmake sure everything we find is correct and accurate.
A screenshot from OneMoreLead’s website
However, the origins of the data, or how it ended up in OneMoreLeads hands, remain unknown.
The company is new, with no known clients and an unfinished website.
(Leadhunter denied responsibility for the leak at the time, and researchers couldnt confirm a link.)
A screenshot from OneMoreLead’s website
However, the company has a responsibility to wrap up the vulnerability and ensure its not leaked again.
With this in mind,we contacted a person that was involved in OneMoreLeadand presented our findings.
We also reached out to AWS, as the database was stored on its cloud platform.
They replied the same day, andthe server was secured the following day.
For example, a person may no longer work at a business listed in the indexes.
It may also be possible to cross-reference entries with an individuals online presence, such as a LinkedIn profile.
We believe these records were access credentials for OneMoreLeads backend,most likely belonging to OneMoreLead’s customers.
Worse still,we viewed numerous.gov and New York Police Department email addressesin the database.
Considering the complete list contained at least 63 million people, there were potentially many more sensitive email addresses.
However, we only viewed a small sample.
This has happened numerous times over the last few years, and the issue is getting worse.
The company could also face legal action as a result.
Hackers could access their accounts and steal information relating to their businesses and customers.
To learn about data vulnerabilities in general, read ourcomplete guide to online privacy.
They then examine each data store for any data being leaked.
Our team was able to access this database because it was completely unsecured and unencrypted.
OneMoreLead was using an Elasticsearch database, which is ordinarily not designed for URL use.
As ethical hackers, were obliged to inform a company when we discover flaws in their online security.
We reached out to OneMoreLead to let them know about the vulnerability and suggest ways to secure their system.
The purpose of this web mapping project is to helpmake the internet safer for all users.
Wenever sell, store, or expose any informationwe encounter during our security research.
This has included a data breachoriginating from a Microsoft company cloud account.
We also revealed that a popular Paleo diet company compromised theprivacy and security of its entire customer base.
You may also want to read ourVPN Leak Report and Data Privacy Stats Report.
Help Us Protect The Internet!
Check the Leak Box here »
like, comment on how to improve this article.
