A major Mexican enterprise resource planning (ERP) company kept an unprotected database online containing sensitive information on hundreds of thousands of users, accessible to anyone.
A report by cybersecurity researcher Jeremiah Fowler, who discovered the archive and reported his findings to Planet Websitenoted that the database, accessible to anyone who knew where to look, contained 769 million records.
These records contained secrets and personally identifiable information, such as API keys, secret keys, bank account numbers, tax ID numbers, and email addresses. The database weighs 395 GB and is owned by ClickBalance, a software provider offering various cloud-based business services that help with administration automation, accounting, inventory, payroll, and more.
Disruptive potential
Website Planet describes ClickBalance as one of Mexico’s largest ERP technology providers, and once Fowler found the archive and identified its owner, he contacted the company, which locked it down “within hours.”
Whether malicious actors had already discovered this and used the data in their campaigns is unclear, Fowler said, and only a thorough investigation will be able to determine that.
While obtaining tax identification numbers or bank account numbers is certainly dangerous and allows cybercriminals to conduct identity theft campaigns, stealing active email addresses is arguably more valuable, as it allows them to launch phishing attacks through which they can deploy malware or even ransomware.
Unprotected databases remain one of the most common causes of data breaches, despite their disruptive potential. Many large companies and government organizations have kept databases online without any protection. In a case like this, the personal information of the entire Brazilian population was exposed.
In early January 2024, Cybernews researchers discovered an unprotected database containing personal information of approximately 223 million Brazilian citizens.