A misconfigured database has caused a San Francisco-based video marketing software provider to leak the personal details of its users on Shodan. The company operates two websites: getshow.io, an all-in-one video marketing platform, and animaker.com, a DIY video animation software. It is worth noting that Getshow.io is owned by Animker.com. The server in question is registered under the domain name getshow.io, which Animaker.com manages.
The misconfiguration of the database led to the exposure of both test and personal data belonging to over 700,000 users. The database currently contains 5.3 GB of data, and it continues to grow, with new data being added each day. The data exposed by the misconfiguration includes the personal data of unsuspecting customers, such as full names, device types, postal codes, IP addresses, mobile numbers, email addresses, Animaker profile details, and country/city/state/location. However, no passwords were found in the data leak.
Our cybersecurity researcher Anurag Sen identified the server on Shodan while searching for misconfigured cloud databases. Shodan is an OSINT tool and a specialized search engine used by cybersecurity researchers to locate vulnerable Internet of Things (IoT) devices, including servers and misconfigured databases on the internet. CloudDefense was featured on HackRead recently for this.
A misconfigured database occurs when access controls and security settings are improperly configured or left at default settings. When a misconfigured database is exposed to the public, it can be discovered and exploited by cybercriminals who use automated tools to scan the internet for open databases. Once they find a vulnerable database, they can use it to steal data, install malware, hijack it for ransom, or launch other types of cyber attacks.
As a result, misconfigured databases can result in significant financial losses, legal liabilities, and reputational damage for affected individuals and organizations. The consequences of a misconfigured database can be severe, as evidenced by recent data breaches at RailYatri and the U.S. No Fly List, where millions of users had their personal information stolen, resulting in significant financial and reputational damage to the companies and authorities involved.
Animker has been informed about the incident, but there has been no response so far. The company's CEO, RS Raghavan, has been informed on Twitter. To prevent a misconfigured database from being exposed to the public, experts recommend implementing proper access controls and security settings, including strong passwords, encryption, and regular vulnerability assessments. Organizations should also limit the amount of sensitive data stored in their databases and ensure that it is only accessible to authorized users.