Cloud accounting firm in a pickle after researchers find admin login data

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)

FreshBooks, a Canadian unicorn startup building cloud accounting software, kept an Amazon Web Services (AWS) Storage bucket holding sensitive employee information unprotected on the internet, available to anyone who knew where to look, experts have claimed. 

As a result, more than 30 million of its users, in more than 160 countries around the world were put at risk of identity theft and other cybercrime, perhaps not directly but through more targeted attack using the data obtained. 

The alert was issued by the Cybernews research team, which first discovered the database in late January 2023.

Easily cracked passwords

On first glance, it held storage images and metadata of its blog, but deeper analysis discovered backups of the website’s source code, as well as site info, configurations, and login data for 121 WordPress users. The login data - usernames, email addresses, and hash passwords - belonged to the site’s administrators. They were hashed using “easily crackable” MD5/phpass hashing framework, the researchers said, suggesting that obtaining the information in plaintext was relatively easy.

With this information, the Cybernews’ team says, threat actors could have accessed the website’s backend and made unauthorized changes to its content. They could have analyzed the source code, understood how the website operated, and found other vulnerabilities to sell or exploit. In fact, a 2019 server backup held “at least five” vulnerable plugins that were installed on the website at the time, the researchers found. 

In an even more dangerous scenario, they could have installed malicious software, moved laterally throughout the network, and stolen sensitive data.

There is a caveat to exploiting the vulnerability, though: “The website’s login page to the admin panel was secured and not publicly accessible,” the researchers explain. “However, attackers could still bypass this security measure by connecting to the same network as the website or finding and exploiting a vulnerable WordPress plugin.”

Via: Cybernews

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.