Global Communication Software and Service Provider Left Massive Amount of Data Online. Potentially Exposing Millions of Subscribers.Back to blog
Online communication has become a vital part of today’s business environment and it is essential that business owners have tools and analytics to gauge efficiency, communication, and a range of data sets. One of the top companies that provides cloud-based unified communications has just leaked more than 600GB of sensitive files online.
The Kromtech Security Center has discovered not just one but two cloud-based file repositories (AWS S3 buckets with public access) that appear to be connected to the global communication software and service provider BroadSoft, Inc. They have created an infrastructure for cloud unified communications tools that can be service provider hosted or cloud hosted by BroadSoft. The publically traded company has over 600 service providers across 80 countries and supports millions of subscribers according to their website. Their partners are some of the biggest names in the communication business, telecom, media, and beyond, including Time Warner Cable, AT&T, Sprint, Vodafone among many other well known companies. When 25 of the world’s top 30 service providers by revenue all use BroadSoft’s infrastructure and with so many subscribers it is easy to see that this data leak could have a massive reach.
BroadSoft Business Applications
UC-One = single, integrated business communications solution
Team-One = chat, take notes, track tasks and share files in organized workspaces.
Also provides access to Google, Drive, Salesforce and other apps? Team-One is integrated with over 50 other popular apps.
CC-One= omni-channel, cloud contact center solution that uses predictive analytics to lower operating costs and improve business performance.
Hub =unified experience, bringing together BroadSoft Business and cloud apps
Other BroadSoft Business Platforms include BroadWorks, BroadCloud, Carrier, PaaS, Reseller, BroadSoft Mobility.
How the Leak Happened
The problem is that the repository was configured to allow public access and exposed extremely sensitive data in the process. They used Amazon's cloud but misconfigured it by leaving it accessible. Amazon AWS buckets are protected by default but somehow were left publically available. It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents. Not only could they access the documents but any “Authenticated Users” could have downloaded the data from the URL or using other applications. With no security in place just a simple anonymous login would work.
This leak shows once again just how insecure data can be when the improper security settings are used. In this instance the same mistake leaked the data and information of potentially millions of BroadSoft’s customers and those their partner’s service. This is not unique to BroadSoft and happens to companies big and small, but what does stand out is the size and scope of their business. Their infrastructure and portfolio of applications is used by millions of customers and many of them had their data exposed. It is unclear if BroadSoft will be notifying affected customers of this data exposure or if the partner companies who use their infrastructure will.
How It Was Discovered
In July Kromtech Security researchers discovered an Amazon S3 cloud-based data repository that was connected to the WWE (World Wrestling Entertainment) hosted on the public 'wwe-test' S3 domain. This raised the flag that many administrators could potentially open a back up for testing and never close it. After the discovery researchers began testing other variations of the '-test' suffix and came across 2 of the connected repositories (one using the underscore sign '_' - not recommended by Amazon). Searching for the test resporsities is how it was discovered and we can only assume there are many more cloud-based data leaks actively available that started out as a testing ground, but were never secured.
On Aug 29th a security notice was sent to engineers based in BroadSoft’s Indian office (Bangalore) whose email communications was found in the repository. He replied “Who gave you my contact and it does not belong to us”. Then ironically one of the two repositories was closed to public access almost immediately after the notification. This would logically conclude that engineers may have been trying to do damage control by denying that the 600GB of data belonged to Broadsoft or their clients.
Second bucket was quickly secured only after notification email to Charter-related people was sent.
What The Leak Contained
In short the repository contained a massive amount of sensitive information and researchers estimate It would take weeks to fully sort through all of the data. The most potentially damaging discovery was the fact that it contained internal development information such as SQL database dumps, code with access credentials, access logs and more. These are all things that should not be publically available online. The two repositories contained thousands and thousands records and reports for a number of Broadsoft clients with Time Warner Cable (TWC) appearing to be the most prominent and including applications like Phone 2 Go, TWC app, WFF etc.
Much of the internal development data apparently saved by Broadsoft engineers related to Time Warner Cable, Bright House Networks (BHN/Charter). For example “User Profile Dump, 07-07-2017” text file contains more than 4 million records, spanning the time period 11-26-2010 - 07-07-2017, with Transaction ID, user names, Mac addresses, Serial Numbers, Account Numbers, Service, Category details, and more. Other databases also have billing addresses, phone numbers etc. for hundreds of thousands of TWC customers.
Bob Diachenko, chief communications officer, Kromtech Security Center:
Cyber criminals and state-sponsored espionage is a real threat to major corporations, businesses of all sizes, and individuals. We see more and more examples of how bad actors use leaked or hacked data for a range of crimes or other unethical purposes. The bottom line is that data is valuable and there will always be someone looking for it. Improperly securing data is just as bad if not worse because it was preventable. In this case engineers accidentally leaked not only customer and partner data but also internal credentials that criminals could have easily used to monitor or access company's network and infrastructure.
The Threat and Risk
Cyber criminals and state-sponsored espionage is a real threat to major corporations, businesses of all sizes, and individuals. We see more and more examples of how bad actors use leaked or hacked data for a range of crimes or other unethical purposes. One example is the infamous Yahoo email breach and the belief that it was used to identify dissidents, trade secrets, and gather other sensitive data. The bottom line is that data is valuable and there will always be someone looking for it. Improperly securing data is just as bad if not worse because it was preventable. BroadSoft accidently leaked not only customer and partner data but also internal credentials that criminals could have easily used to monitor or access their network and infrastructure.
The Kromtech Security Research Center has downloaded the contents of the repository for verification purposes and it is unclear if anyone else has had access to the data.
As we continue to see more and more cloud leaks appear it reminds us that companies large and small must conduct regular audits to secure their data. Misconfiguration of cloud-based storage repositories that allow public or semi-public access can result in a devastating data leak that requires no hacking or password. The Kromtech Security Team is dedicated to identifying threats and vulnerabilities and helping to secure them or bring attention that will help make data more secure online.
Alex Kernishniuk, VP of strategic alliances, Kromtech:
Unfortunately, oftentimes developers like to simplify their life or quickly resolve some technical problems and grant public read access to the buckets There are at least two tools already provided by AWS to detect this critical security flaw with your S3 buckets - AWS Trusted Advisor and AWS Config.
Kromtech is now developing a free tool that will allow you to check security for public s3 buckets in a better way.
This is our commitment for securing the Internet and customers around the globe..
UPDATE1: Article has been updated to reflect that no evidence except of a similar report name was identified to mention AMC among affected companies.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: email@example.com