Is that 270 million records exposed by Verizon development?
In early September, I discovered a dataset of 104 GB that contained 271,588,696 records. Nearly all of the folders were titled VILS and referenced online learning, students, and other educational keywords.
The records also indicated that these were both development and “QA” which I assume stands for quality assurance.
Upon further research, the only educational program I could find that used "VILS" was the Verizon Innovative Learning Platform (Schools).
Table of Contents:
We can only speculate that this is the same VILS as we think. We have no confirmation of our assumption.
- Total Size: 104.0 GB
- Total Docs: 271,588,696
- Internal development records that show how the platform is structured, employee development, and login with very easy passwords in plain text.
- The files also show where data is stored and a blueprint of how the network operates from the back end, including functionality, storage IPs, security logs, and tokens. This information could potentially be used to launch a cyberattack on the production version of the VILS platform.
- The database was at risk of a ransomware attack that would encrypt the data.
- The records indicated middleware, configuration, or build information that could allow for a secondary path for malware.
- The database was set to open and visible in any browser (publicly accessible), and anyone could edit, download, or even delete data without administrative credentials. However, there were admin logins and passwords in plain text that could have allowed for full access. (As security researchers, we never bypass or use exposed credentials, so I can only speculate what access these could provide.)
Here is an example of what the exposed folders and records looked like.
Here is an example of admin emails and passwords exposed
The administrative email addresses inside the database were @publicissapient.com.
According to Wikipedia: Publicis Sapient is an American digital consulting company founded as Sapient in Cambridge, Massachusetts, in 1990. According to their website, Publicis Sapient is a "digital transformation company".
It is difficult to understand clearly what that means, but it appears they are a one-stop-shop for digital solutions and business/technology consulting using cloud-based technology.
No one from Publicis Sapient or Verizon responded to our responsible disclosure notice or follow-up message. Public access was restricted the same day we reported it to Publicis Sapient.
It is unclear how long the database was exposed or who else may have gained access to these potentially sensitive records that were accessible to anyone with an internet connection.
Protecting a development environment is extremely important to reduce the risk of an attack or data exposure down the road.
Even though the data may not contain personally identifiable information, there is a treasure trove of records that criminals could steal, such as encryption and access keys, passwords, knowledge of security controls, or intellectual property.
Another risk is cybercriminals could embed malicious code or crypto mining into the project without an organization's knowledge. When the bad guys have a clear understanding of how the platform, applications, or utilities work, this is the first step in planning an attack.
Another helpful security tip is to conduct protective monitoring of any development environment. This could help identify the difference between legitimate and unauthorized access to the environment, so it is important to not only have logging records but ensure that someone is actually reviewing them. In today's work, employees and companies are located all over the world, and teams need access.
We often see mistakes and misconfigurations that expose the entire dataset. I would recommend that any company, which is outsourcing or has remote team members, ensure strict access policies such as 2-factor logins or other additional steps.
According to their website:
Taking responsibility for our shared future means ensuring the benefits of technology are available to all. Right now, millions of students here in the U.S. lack the connectivity, technology, and skills required for success in today's digital economy. That's why we've been working to help foster digital inclusion through a transformative education program called Verizon Innovative Learning. It’s a key part of our goal to help move the world forward for all through Citizen Verizon, our responsible business plan for economic, environmental, and social advancement.
Disclaimer: Our primary goal is always data protection and ensuring that public access to these sensitive records is restricted as fast as possible. We are not implying any wrongdoing by Publicis Sapient, Verizon, their partners, or affiliates, and we are highlighting our findings to raise awareness of best practices and for cyber security education.