A large Enterprise Resource Planning (ERP) company in Mexico kept an unprotected database of sensitive information of hundreds of thousands of users online, which was available to anyone to view.
A report by cybersecurity researcher Jeremiah Fowler, who discovered the archive and reported his findings to Website Planetnoted the database, which was accessible to anyone who knew where to look, and contained 769 million records.
These records contain secrets and personally identifiable information, such as API keys, secret keys, bank account numbers, tax identification numbers, and email addresses. The database is 395 GB in size and belongs to ClickBalance, a software vendor that offers a variety of cloud-based business services that help automate administration, accounting, inventory, payroll, and more.
Disruptive potential
Website Planet describes ClickBalance as one of Mexico’s largest ERP technology providers. Once Fowler found the archive and identified its owner, he contacted the company, which locked it down “within hours.”
However, it is not known whether malicious actors had already discovered it, and whether or not they used the data in one of their campaigns. Only a detailed forensic investigation can determine that, Fowler argues.
While obtaining tax identification numbers or bank account numbers is certainly dangerous and allows cybercriminals to commit identity fraud, stealing active email addresses is likely more valuable as it allows them to launch phishing attacks that can spread malware and even ransomware.
Unprotected databases remain one of the most common causes of data breaches, despite their disruptive potential. Many large corporations and government organizations were found to have online databases without any security. In one such case, the personal information of the entire Brazilian population was leaked.
In early January 2024, researchers from Cybernews discovered an unprotected database containing personal information of approximately 223 million Brazilian citizens.