Cloud accounting firm in a pickle after researchers find admin login data

A Canadian cloud unicorn leaves a database unattended

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

FreshBooks, a Canadian unicorn startup building cloudaccounting software, kept anAmazonWeb Services (AWS) Storage bucket holding sensitive employee information unprotected on the internet, available to anyone who knew where to look, experts have claimed.

As a result, more than 30 million of its users, in more than 160 countries around the world were put at risk of identity theft and other cybercrime, perhaps not directly but through more targeted attack using the data obtained.

The alert was issued by theCybernewsresearch team, which first discovered the database in late January 2023.

Easily cracked passwords

On first glance, it held storage images and metadata of its blog, but deeper analysis discovered backups of the website’s source code, as well as site info, configurations, and login data for 121WordPressusers. The login data - usernames, email addresses, and hash passwords - belonged to the site’s administrators. They were hashed using “easily crackable” MD5/phpass hashing framework, the researchers said, suggesting that obtaining the information in plaintext was relatively easy.

With this information, the Cybernews’ team says, threat actors could have accessed the website’s backend and made unauthorized changes to its content. They could have analyzed the source code, understood how the website operated, and found other vulnerabilities to sell or exploit. In fact, a 2019 server backup held “at least five” vulnerable plugins that were installed on the website at the time, the researchers found.

This top WordPress plugin had a security flaw that could let hackers hijack your site>This critical WordPress plugin flaw could let hackers hijack your website>Check out the best endpoint protection services right now

In an even more dangerous scenario, they could have installed malicious software, moved laterally throughout the network, and stolen sensitive data.

There is a caveat to exploiting the vulnerability, though: “The website’s login page to the admin panel was secured and not publicly accessible,” the researchers explain. “However, attackers could still bypass this security measure by connecting to the same network as the website or finding and exploiting a vulnerable WordPress plugin.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via:Cybernews

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Nokia confirms data breach leaked third-party code, but its data is safe

Best CDN provider of 2024

Black Friday is here: Sony XM5 over-ears drop to their lowest-seen price – act fast!