Data leak at US marketing company reveals 39 million user data

[German]Security researchers from CyberNews have discovered an unsecured Amazon AWS S3 bucket. The data leak revealed the personal data of 39 million US citizens.


Security researchers CyberNews discovered an unsecured database (data bucket) belonging to the US online marketing company View Media. The Amazon AWS S3 Bucket contains nearly 39 million U.S. user records, including their full names, e-mail and street addresses, phone numbers and zip codes. View Media works with companies such as Times Media Group and Tribune Media. 

The database was found on a publicly accessible Amazon Web Services (AWS) server, so anyone can access and download the data. Following the 350 million email leak reported by CyberNews in early August, this is the second time this summer that security researchers have found an unsecured Amazon Web Services S3 bucket containing such large amounts of user data.

What data was found in the database?

On this website CyberNews discloses the details. The publicly accessible Amazon AWS S3 bucket contained 5,302 files, including:

  • 700 working documents stored in PDF files for targeted email and direct mail advertising campaigns
  • 59 CSV and XLS files containing a total of 38,765,297 records of US citizens, of which 23,511,441 records were unique

The user data files were created based on the cities and zip codes targeted by the marketing company's campaigns and contained full names, addresses, zip codes, e-mails and phone numbers of individuals based in the United States.

The S3 bucket was hosted on Amazon's Amazon AWS server, which was available to anyone over the Internet for an unknown period of time without security. It is unclear whether any hackers or cyber criminals had access to the stored data. Such unsecured Amazon buckets are relatively easy to find and accessible without any kind of authorization. This means that anyone who knows where to look could have downloaded the files.


The consequences

Even though the files in the unsecured Amazon S3 bucket do not contain highly sensitive personal information such as social security or credit card numbers, cybercriminals can use the personal information in the database for a variety of malicious purposes:

  • Fraudsters can use the names, email addresses and phone numbers of vulnerable individuals for a variety of fraudulent purposes.
  • Simple contact information can be enough for spammers and phishers to launch targeted attacks against more than 38 million exposed Americans from a variety of angles, including robo calls, text messages, e-mails and social engineering campaigns.
  • Certain cybercriminals can combine the data found in this area with data from other data leaks to profile potential targets for identity theft.

Because security researchers were initially unable to identify the owner of the unsecured Amazon AWS S3 bucket, they contacted Amazon on July 27, 2020. The open database on the Amazon AWS S3 bucket was secured on July 29, 2020, and the data leak has been closed.

The security researchers contacted one of the marketing company's clients, who is mentioned in a dr working document. This client then helped the security researchers identify View Media as the owner of the database on August 21, 2020. On August 24, the security researchers contacted View Media to make an official statement about the data leak. However, they did not receive a response from the company.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *