WizCase security team reports a large data breach in which millions of records, including passwords and payment data, were exposed online. The data belongs to Ringostat, a company based in the Eastern Europe.
Ringostat is a Ukrainian marketing platform with call tracking, telephony, and end-to-end analytics features. The company has been around since 2013 and promises to help businesses optimize marketing and ROI, build effective communication with customers, and boost sales.
Anyone who possessed the right link to the company’s data could get access to billions of phone numbers, call recordings, call logs, various metadata, and more which could lead to a potential attack.
The company didn’t protect the data with a password, and it was not encrypted, so anyone could freely access the information.
This is despite the security notice on the company’s website that says “users’ data protection is Ringostat’s main priority.”
What’s even more strange, the company goes further stating that “the platform processes and stores information in compliance with encryption standards, redundancy requirements, and GDPR, as with users from the EU.”
This obviously wasn’t true, as WizCase researchers showed.
Their team of ethical hackers led by Ata Hakçıl discovered an ElasticSearch database used by Ringostat in which over 800 GB of user data lay online exposed.
Data of some 67,000 Ringostat clients were exposed on the leaky ElasticSearch server. Since the company is Ukrainian most of its clients must be Ukrainian.
Not only personal details were exposed but even voice recordings of calls.
The researchers calculated there were 13,000,000 phone numbers, 8,000,000 voice recordings, and hundreds of millions of call logs and metadata. In total, approximately 2 billion records.
Researchers found that information of the voice recordings could be accessed by anyone with a proper link and an Internet connection.
Metadata included information like caller phone number and call receiver phone number, time of the call, the IP address of the receiver; duration of the call, GSM carrier, and client company who answered the call.
That’s not all. WizCase team found payment records from Stripe, including users’ id, IP, port, and transaction time.
Such leaked personally identifiable information as above is rutinely used by bad actors to access accounts on other websites in credential stuffing attacks which can lead to further information leaks, identity theft, and financial losses.
The exposed data has since been secured by Ringostat ut it’s unknown how long it had been vulnerable and whether anyone stole it.