Security researcher Jeremiah Fowler, working with the WebsitePlanet research team, discovered an un-password-protected database containing 92 million records. Upon further investigation, it appeared to belong to the Cronin digital marketing agency. The publicly available server was called "CroninMain" and many of the records contained references to Cronin. These records include internal data such as employee and customer information. The dataset also includes a "master mailing list" that contains direct physical names, addresses, salesperson IDs, phone numbers, and sources of leads.
The Connecticut-based organization lists some very high-profile clients on its Web site. According to Cronin's site, they are "a digitally-driven, results-focused marketing agency, powered by technology. Customer-centric: financial, healthcare and consumer products/services." In a press release issued on March 16, 2020, Horizon Group North America acquired Cronin, Connecticut's largest independent full-service marketing agency. Their client list includes companies such as Dunkin, Lego, Henkel, Loctite, and others, with one mention of a FEW
Here's what was found:Total Size: 26.43 GB/Total Documents: 92711060 public records containing internal logs of client ad campaigns, keywords, Google Analytics data, session ids, customer ids and other details, device data and other identifying information. Login tokens and other security information. Internal cron enters employee usernames, emails, and hashed passwords that could be targeted in phishing attacks or used to access restricted areas of the network or password-protected records. Employee and financial records in the following formats: billing rates, "Department": "Numbers", "Department Code": "Technology and Innovation ", and other internal records or record formats. Exposure shows where the data is stored and serves as a blueprint for how the service runs from the backend. Middleware or build information that may allow a second path for malware. ip addresses, ports, paths, and storage information that cybercriminals can use to penetrate networks that should not be publicly available. It's a database that can be opened and made visible in any browser (publicly accessible), and anyone can edit, download or even delete the data without administrative credentials.
The downside of the technology is that digital records and cloud storage also increase the risk of data incidents or exposure. For companies working in the digital space, the cybersecurity threat landscape evolves daily. Any organization that relies on technology and data as the core of its business must take extra steps to protect the digital records it collects and stores online. In this case, a large number of records can be accessed by anyone with an Internet connection.
I immediately sent a responsible disclosure notice on March 6, 20213, to multiple contacts, including those found in the records.On March 11, after noting that the database was still public, I followed up again. This time, I spoke with someone by phone who told me that they were aware of the incident and were addressing the matter. The next day, the database was secured. It is unclear how long the database was exposed or who else gained access to Cronin's records. We are not suggesting that any of Cronin's employees or customers were ever at risk, we are simply highlighting the facts we have discovered to raise awareness of any potential cybersecurity vulnerabilities.
The risk of such exposureCybercriminals are always trying to capitalize on the data they find. Knowing insider information about business relationships may put employees and customers at risk of social engineering attacks or targeted spear phishing attempts. Assuming there may be enough information to engage in a man-in-the-middle attack or (MITM), an unauthorized third party intercepts or accesses a transaction between two parties. For example, if an invoice is due, they will see the date, the amount, and whether the invoice has been paid or is in arrears. Next, the offender will ask for the payment to be deposited into their own account, not the company's. All they have to do is call or email and say "we have updated our bank details, please pay your outstanding balance to the account below". They can provide invoice numbers or other internal account information that only the service provider would have. The customer has no reason to suspect anything and the money is gone. This happens far more often than one might think and often goes unreported unless the amount is too large to ignore.
It is estimated that the 2021 digital marketing agency market is $17.2 billion in the US alone. Many competitors want to see how their competitor's business operates from the back end. Analyzing data is the secret ingredient to any company's sales success. What tools or apps are they using? What are the views, clicks, sales, etc.? This exposure paints a clear picture of where ads are placed, costs, sources of lead data, and other important details.
Commercial espionage has been going on for a long time, with businesses and companies doing everything they can to protect the way they deliver their services. In this case, the front door is locked, but the back door is wide open, allowing anyone to access vast amounts of data and analyzed information.
As security researchers, we never download or extract the data we find; our goal is to secure and protect exposed records before they can be exploited. This is yet another reminder that the digital marketing and advertising industry must do more to protect the data they collect and store. Having a dedicated team to manage data security is an important step. We know that not all companies can afford a large security budget, but they can easily create a communication channel for reporting data incidents or educate customer support on how to manage external data security notifications. We see data breaches all the time because key leadership is hidden behind firewalls, making it difficult to report incidents. This can cause delays in data security and increase the additional risk of information being leaked or compromised by ransomware.
We are not implying any wrongdoing on the part of Cronin Group Holdings, LLC, its partners or affiliates. Nor are we implying that clients or customers are at risk. We emphasize that our findings are only intended to raise awareness of cybersecurity best practices and data protection.