Brazilian WiFi management software company WSpot exposed a lot of details about top companies and millions of customers.
WSpot provides software that enables businesses to secure their on-premises WiFi networks and provide password-less online access to their customers. Some of WSpot’s notable clients include Sicredi, Pizza Hut, and Unimed.
According to WSpot, 5% of its customers were impacted by this leak. However, he maintains that financial information is never collected from customers, so financial data is not included in the leak.
About the leak
Safety research firm SafetyDetectives discovered the leak and discovered that WSpot had an incorrectly configured Amazon Web Services S3 bucket. Apparently, this compartment was unprotected and open to public access, which led to 10 GB of visitor data exposure.
The bucket was discovered on September 2 and WSpot was notified on September 7, after which the company was able to secure it immediately. The Brazilian company has confirmed that its servers have remained intact and that threat actors have not invaded them.
SEE: Brazilian market integrator Hariexpress unveiled 1.75 billion records
In addition, there is no indication that unauthorized third parties have accessed the information exposed. The company says it hired a security company to investigate the incident.
What has been exposed?
Approximately 226,000 files were exposed in this data breach. The disclosed information included the personal details of at least 2.5 million users who logged into WSpot’s customer’s public WiFi networks.
Additionally, according to SafetyDetectives ‘analysis, the information exposed included details of who accessed the companies’ WiFi service, which includes full name, full address, email address, and phone numbers. taxpayer registration, as well as plain text login credentials created by users when registering for the service.
In their blog post, SafetyDetectives explained that:
“We discovered two different types of files exposed on the open database: SMS logs and guest reports. There may be more information exposed that was not visible in our sample data. 84MB of files containing SMS logs were found in the WSpot database. There were approximately 280,000 such log entries in total. The SMS logs disclosed two forms of personal and confidential visitor data. This data belongs to the people who have connected to the WiFi of each WSpot client.
WSpot confirmed the leak
According to ZDNet, WSpot has confirmed the leak. The company Explain that the leak was due to insufficient “standardization of information management”, which was stored in a specific file. The company further noted that it was already fixing the issue since SafetyDetectives notified it and technical procedures were completed on November 18.
SEE: Brazilian cosmetics giant Natura disclosed 192 million records with payment data
A company spokesperson said it had yet to contact the National Data Protection Authority about the incident and that WSpot would handle all legal matters. It is also unclear whether the notified company has impacted users or not.