[German]Security researchers from Cybernews have discovered an unprotected database on the Internet that belongs to the marketing automation platform Maropost. Through this database, 95 million records containing e-mail addresses and other customer data have been revealed. Attempts to contact the company were unsuccessful.
Maropost is a large marketing company that operates an automation platform in the USA, Canada and India. The company offers solutions for companies in the marketing environment worldwide. This includes e-mail “marketing, trade, service, customer care and forwarding”. The company has more than 10,000 customers, including companies such as the New York Post, Shopify, Fuji lm, Hard Rock Café and Mother Jones.
The data leak with 95 million records
The Cybernews security team informed me a week ago about a data leak at the marketing giant Maropost. While searching the Internet for open databases, they came across an unprotected database of Maropost, which is accessible via the Internet. The database in question apparently contains almost 95 million individual customer details.
Among the data found, there are e-mail addresses of Maropost customers, including the customer lists of these companies, who were contacted by Maropost in the course of marketing campaigns. This means that the entire Maropost customer base and their address database has been disclosed. The records contain not only e-mail addresses, but also names, telephone numbers, dates of birth, credit ratings, addresses, information on family members, detailed mortgage and tax records, detailed data profiles, including information on personal interests, investments and political, charitable and religious donations.
The exposed Maropost database was hosted on a Google cloud server in the USA. How long the database will be publicly available is unknown.
Marupost does not respond
The CEO of Maropost, Ross Andrew Paquette, writes about the secret of success on various websites and emphasises that this success is based on customer service. But security does not seem to be part of it. The Cybernews team has unsuccessfully attempted to contact Maropost by various means (e-mail, Twitter, live chat) to inform them of the data leak. The company’s forms of communication seem to be underground if you are not a paying customer. At the end of the day the security researchers informed the US authority CISA.