Data of 30 million WordPress users leaked by top cloud accounting firm

A Canadian cloud unicorn leaves database with sensitive data unattended.

FreshBooks, a Canadian unicorn startup building cloud accounting software, kept an Amazon Web Services (AWS) Storage bucket holding sensitive employee information unprotected on the internet, available to anyone who knew where to look, experts have claimed. 

As a result, more than 30 million of its users, in more than 160 countries around the world were put at risk of identity theft and other cybercrime.

The alert was issued by the Cybernews (opens in new tab) research team, which first discovered the database in late January 2023.

Easily cracked passwords

On first glance, it held storage images and metadata of its blog, but deeper analysis discovered backups of the website’s source code, as well as site info, configurations, and login data for 121 WordPress (opens in new tab) users. The login data – usernames, email addresses, and hash passwords – belonged to the site’s administrators. They were hashed using “easily crackable” MD5/phpass hashing framework, the researchers said, suggesting that obtaining the information in plaintext was relatively easy.

With this information, the Cybernews’ team says, threat actors could have accessed the website’s backend and made unauthorized changes to its content. They could have analyzed the source code, understood how the website operated, and found other vulnerabilities to sell or exploit. In fact, a 2019 server backup held “at least five”vulnerable plugins that were installed on the website at the time, the researchers found. 

In an even more dangerous scenario, they could have installed malicious software, moved laterally throughout the network, and stolen sensitive data.

There is a caveat to exploiting the vulnerability, though: “The website’s login page to the admin panel was secured and not publicly accessible,” the researchers explain. “However, attackers could still bypass this security measure by connecting to the same network as the website or finding and exploiting a vulnerable WordPress plugin.”

Via: Cybernews (opens in new tab)

Leave a Reply