An open database containing more than 18,000 records was found exposed due to a third party provider.
Security researcher Mark Daniels discovered the CouchDB database on July 30th. It had contained 18,667 records including names, account numbers, transaction details, admin passwords and user credentials.
Additionally the database also had IP addresses, Ports, Pathways and storage information that could be exploited to access deeper parts of the network.
Anyone with access to the database could edit, download, or even delete data without requiring administrative credentials.
Following an investigation Daniels discovered that the database belonged to Timberwise, a UK property preservation company. Timberwise were notified about the leak, and the company stated that the issue was due to a third party provider.
The third party provider have been contacted numerous times however after the first notification the contact stopped replying. Daniels noted that there is no way to know who the third party service provider is.
“We have seen many cases of 3rd party providers who inadvertently expose their client data publicly online. We would advise that any organization who uses a 3rd party provider be aware of any past data incidents and inquire about what security measures they employ for data protection,” Daniels concluded.
Timberwise have yet to respond or comment on the leak.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.