Vulnerabilities

XSocialMedia Exposed 150,000 Records Containing Personal And Medical Information

Another day, another data leak. The latest victim to emerge is a Facebook advertising agency – XSocialMedia which runs marketing campaigns for medical malpractice lawsuits. As revealed by researchers, XSocialMedia exposed a large amount of records containing personal and medical information through an unsecured database.

XSocialMedia Exposed Sensitive Records Online

The hacktivist duo from vpnmentor, Noam Rotem and Ran Locar, discovered another leaky database while continuing their web mapping project. Reportedly, they found numerous vulnerabilities in multiple databases operated by the firm XSocialMedia. As a result, XSocialMedia exposed the records publicly, that contained sensitive details.

As elaborated in their blog post, the researchers found the database belonging to the Facebook marketing agency leaked sensitive details including explicit personal information of users and medical testimonies. They could even access XSocialMedia customers data, invoices, and the number of marketing campaigns for their injury-check.com domains.

The campaigns run by XSocialMedia on Facebook requires the users to enter their information in the appended form. Thus, the researchers could easily see around 150,000 of such responses having explicit details.

All of the entries are tagged with “xsocial_submission_id”, which demonstrates that these form submissions were sent by those who clicked on one of the Facebook ads.

This leaked information included complete names, street addresses, phone numbers, email addresses, circumstances and explanation about the injury, and the users’ IP addresses. Moreover, the leaked information also included the bank details of XSocialMedia leads contained in the exposed invoices.

The affected customers also included some US veterans who shared information about their combat injuries.

Risks Associated With This Breach

The researchers discovered the leaky database on June 2, 2019, and after verifying the ownership, contacted XSocialMedia on June 5, 2019. Nonetheless, it took the firm a few more days to respond to the researchers and close down the database on June 11, 2019.

While the matter now seems resolved, it does not lower down the intensity of potential dangers associated with such incidents. The database leaked such sensitive medical information that could directly impact the victims in case of any mishap. Highlighting some of the potential hazards of this breach, the researchers stated,

Based on the testimonies recorded in xSocialMedia’s database, many of these people were recording their private medical issues. Some may not have disclosed these symptoms to anyone but their doctors. They may fear losing their jobs or how their friends and family will treat them if their symptoms were public knowledge. Some may worry about being shamed for their medical conditions, or even blackmailed.

Likewise, a bad actor could easily trace them down by using the exposed information and could possibly take advantage of their weaknesses leveraging this data. Likewise, this incident also posed a threat to the safety of US veterans as they could be clearly identified.

Considering the rise in such negligence from the companies, the researchers advise them to stay vigilant for their database security. The firms should properly secure their servers, implement access rules, and ensure not leaving any system without authentication open to the internet.

Prior to this report, the same researchers also reported data leak through an unsecured database belonging to a Fortune 500 company Tech Data.

Let us know your thoughts in the comments.

You Might Also Like

Leave a Reply