Cricketsocial.com, is a social platform developed for the cricket community online. CyberNews discovered that a database used by the platform was left open online, it contains a huge trove of data.
The Social platform for the cricket community exposed over 100k entries of private customer data and credentials.
The database, hosted by Amazon Web Services (AWS) in the US, contained admin credentials and private customer data, including email, phone numbers, names, hashed user passwords, dates of birth, and addresses.
The experts noticed that most of the records in the database seem to be test data, however, the experts discovered it also includes personally identifiable information (PII) of legitimate site users. The data stored in the database includes posts, comments, number of likes, and links to images kept on the AWS storage bucket.
“Even if all the information stored was test data, leaving data in plaintext is a poignant indication of bad security practices being employed. That creates unnecessary risks for unsound practices creeping into the production environment if left unchecked.” Cybernews researchers said.
The experts discovered the database also exposed plaintext credentials for a website administrator account, a piece of information that could allow an attacker to take over the platform.
The storage of passwords in plaintext is a bad practice that could advantage threat actors while targeting an infrastructure.