SoftwareProjects exposes substantial customer and affiliate data
Affiliate sales platform SoftwareProjects had nearly 200GB worth customer and affiliate data exposed publicly before being discovered and reported by cybersecurity researcher Jeremiah Fowler. The exposed database contained 257,562 records with images of credit cards, identification documents, personally identifiable information, and other potentially sensitive information.
“There were thousands of documents that disclosed personally identifiable information (PII) of both clients and affiliates,” said Fowler in a blog post. “The database was marked as CDN, which typically stands for a content delivery network or content distribution network.” CDN is where documents and files are stored to speed up the load time of an application, website, or other data-heavy web-based tools, according to Fowler.
Critical customer and affiliate data exposed
The non-password protected database had two folders containing verification documents of clients and affiliates respectively along with a few internal documents. “I saw many internal documents such as invoices, refunds, affiliate payouts, sales and accounting data, and much more,” Fowler said. “The most concerning discovery I saw was approximately 18,000 order verification files that included images of personal identification documents, pictures of individuals holding identification documents, and credit cards from customers worldwide.”
After making the discovery Fowler sent a disclosure notice to SoftwareProjects and was thanked and informed that the access issue to the directories were subsequently resolved by moving all PII data away from public buckets. However, he discovered that the database was still accessible for some time before being restricted.
“In a separate folder, there were verification documents for affiliates,” Fowler added. “These affiliate records could be potentially more sensitive than customer records because cybercriminals would be aware that these individuals are engaged in business activities and could potentially be more valuable targets for theft or fraud.”
Additionally, the database contained a range of other files and documents inside the database, including invoices with customer PII, refund documents, bank transfer records, and .csv files of earnings reports that showed ABA account numbers of affiliates.
