Sometimes, there’s no need to hack into an email account or a computer to get extremely sensitive data such as credit card or social security numbers. Sometimes that data is left exposed for anyone who knows where to look—and knows how to use free internet scanning tools.
The recording label of Joan Jett, famous for her classic rock songs such as “I Hate Myself For Loving You,” and her “I Love Rock’n Roll” cover, left exposed a treasure trove of sensitive data such as scanned photos of her and a bandmembers’ passports, her social security number and that of her bandmates, invoices, banking information, credit cards, social media logins, scanned checks of royalty payments, apparently unreleased song demos, and even old rejection letters.
The data, which was accidentally left exposed online by someone working at Blackheart Records, was discovered last week by security researchers at the MacKeeper Security Research Center, who have specialized in finding a lot of insecure and exposed databases online.
It’s unclear if anyone found these files before MacKeeper, or how long the files were out there, but this is yet another example that sometimes, there’s no need to hack anything, as sensitive data is just lying around on the internet waiting to be found.
“I just can’t believe they were so ignorant when dealing with cybersecurity,” Bob Diachenko, a researcher at MacKeeper, told Motherboard in an email.
A screenshot of some of the folders and files inside the exposed server.
Diachenko explained that him and his colleagues used the search engine Shodan looking for vulnerable ports in different databases and protocols such as MongoDB or rsync. That’s how they found a misconfigured backup server belonging to Blackheart Records that had no password or other authentication protection in place and left open port 873, typically used for the file synchronization protocol rsync. Inside that server, he said, there were more than 200 gigabytes of data.
“Anyone in the entire world with an internet connection could download the data.”
“Anyone in the entire world with an internet connection could download the data,” the researchers wrote in a blog post on Thursday.
Diachenko said he was able to alert Gabe Godin, the director of new media at Blackheart Records, who told him he fixed the leak last Friday. Reached by phone, Godin told Motherboard on Wednesday that the issue was resolved, but he wasn’t sure how long that backup server had been out there.
The server isn’t accessible anymore, Diachenko confirmed. But when it was, it contained all sorts of stuff. There were internal files on non-public lawsuits, and memorabilia like Jett’s early rejection letters.
A rejection letter sent to Jett’s producer Ken Laguna in 1980.
There were also more potentially dangerous and sensitive items, such as social media passwords and social security numbers, which were stored, of course, in a document titled “SOCIAL SECURITY.”
A redacted screenshot of an excel spreadsheet that contained the passwords to access some of Joan Jett’s social media accounts.
A redacted screenshot of an excel spreadsheet containing the social security numbers of Joan Jett and other people associated with her record label.
The server also contained various invoices and checks for licensing deals with TV shows.
Perhaps, no one with evil intentions found all this data before Diachenko and his colleagues did. But the researcher said that there are many others who made the same mistake that someone at Blackheart Records made.
“Our further investigation into the Rsync has uncovered dozens (if not hundreds) of private machines,” Diachenko said, “including small and medium sized businesses who are unknowingly publishing their internal file repositories to the world.”
If you’re an IT manager and are doing backups via rsync, make sure the server you’re using doesn’t have an open port exposing it on the internet, ar at least put a password on it.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.
Powered by WPeMatico