Kwic ISP Misconfiguration Nightmare

Kwic ISP Misconfiguration Nightmare

Kwic Internet, a Canadian Internet Service Provider, accidentally exposed terabytes of data to the public internet through synchronization services that lacked authentication. This data trove included credit card numbers and expiration dates, many dozens of MySQL databases, internal company email archives, client email archives, and mountains of passwords scattered throughout.

Curiously, one of the database backups for Annex Media Publishing, a Kwic client, contained the details of all 38 million breached Ashley Madison accounts. What is a publishing company doing with the Ashley Madison dump? Steve Ragan, of CSOOnline (http://www.csoonline.com) hasn’t been able to get an answer about that from the company.

I’m calling this a near-worst-case-scenario due to only small evidence of infiltration by malicious entities. An r57 PHP shell was located within these backups, which suggests that bad guys have been able to gain at least moderate access to the live production side of one or more Kwic servers. I also saw plenty of support emails discussing clients claiming their websites, hosted by Kwic, were hacked.

If someone with criminal intent had indeed found this motherlode, and really wanted to cause trouble, they could be combing through the mountains of backed up emails in which Kwic staffers regularly pass along plaintext customer passwords. Here’s a censored sample:

 

All done.

Site is dev.securitypages.ca

FTP:

Username:    securitypages

Password:    [CENSORED]

 

MySQL:

Database:    securitypages

Username:    securitypages

Password:    [CENSORED]

 

Thanks,

KWIC Internet

Support Services

As an American, I must admit I’m not entirely familiar with Canadian breach notification laws. However, if there is any kind of mandatory reporting, this could quickly turn into a real nightmare situation. Not only would Kwic need to notify thousands of business and residential clients, those clients would then need to turn around and notify all their own clients. That’s the nature of high-level breaches where one company is hosting another company’s data. Think of it as a trickle-down notification process.


Welcome to the consequences of cloud-style hosting.


Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: security@kromtech.com

You may also like

Cyber Criminals Steal Voter Database of the State of California Ashley Madison's Private Picture Aren't That Private Virtual Keyboard Developer Leaked 31 Million of Client Records