Update: A MongoDB Inc. representative has stated that, "Mongolayer is part of a shuttered database service hosted by Compose IBM. This is a sunset 3rd party-service that was never owned or maintained in any way by MongoDB Inc."
The UpGuard Research team can now disclose that a data collection originating from iPR Software (risk score: 683) containing details of 477,000 media contacts, business entity account information, over 35,000 user password hashes, assorted documents, and administrative system credentials has been secured. The Amazon S3 storage bucket contained a large collection of files, some of which were configured for public access, totalling over a terabyte in size. In addition to the database files, the storage bucket contained documentation from iPR developers, documents which appear to be marketing materials for client companies, and credentials for iPR accounts on Google, Twitter, and a MongoDB hosting provider.
As the makers of a software product for other companies to manage their digital marketing, the iPR user accounts in the exposed database have business emails for those client companies. Many of those clients are listed on iPR's website. UpGuard analysts confirmed that user accounts with hashed passwords were present for clients including GE, Xerox, CenturyLink, Forever21, Dunkin Donuts, Nasdaq, California Courts, and Mercury Public Affairs, a firm relevant to the Rick Gates and Paul Manafort investigations. In addition to the user accounts, the files stored in these clients' directories were also available.
Discovery and Notification
On October 15, 2019 an UpGuard analyst detected an Amazon S3 storage bucket named "cms.ipressroom.com" configured for public access. After analysis confirmed the data was potentially sensitive, UpGuard notified iPR Software via email and phone on October 24th. During the phone call an iPR representative confirmed that the company’s CTO was aware of the notification and working to resolve the exposure. As UpGuard continued to monitor the bucket, the only observable change was the appearance of a folder called “loganalysis.” After twelve days with no action, UpGuard contacted trusted journalists at Scoop News Group, with whom we have worked in the past, for additional help engaging iPR. Finally, public access for the bucket and all contents was removed on November 26, 2019.
Screenshot showing partial file listing and permissions allowing public access of an example file and read/write permission of access control permissions.
Folder titled “loganalysis” with files added on 11/12/2019. The files in this directory were not publicly downloadable even as the database files in the same bucket remained open.
This storage bucket contained a vast collection of files, potentially serving as the backend for the content management system that iPR licensed to customers. Internal documentation for iPR's development teams, located in Los Angeles, US, and Kaluga, the Russian Federation according to Crunchbase, described how iPR developers could administer the platform to help client companies manage their digital marketing. The contents of the bucket thus included both iPR's internal resources for managing their platform and its user accounts, and client documents that were distributed through iPR's CMS product. Multiple overall size queries through AWS timed out after tallying over a terabyte of downloadable files.
Bucket listing showing over 13,000 top level directories, inside of which were files totalling more than a terabyte.
One folder contained backups generated from MongoDB databases, with the most recent and largest publicly accessible backup being a 17 GB file from 2017 which, when loaded into a MongoDB instance, expanded to over 100 gigabytes in size. A table of user data contained a total of 477,000 email addresses, with hashed passwords present for approximately 35,000 of these profiles. The distinction between users with and without passwords is not clear from the available data but those with passwords presumably had accounts they could log into, while those without may just have been contacts for media outreach.
Data from restored MongoDB with fields for email, first name, last name, username, last login, and password hash.
The bucket also contained directories with files relevant to their clients. These directories contained mostly marketing assets, many of which would be intended for public consumption, but also internal public relations strategy documents like plans for communications during crises or adverse media attention.
Finally, this data exposure highlights the potential for secondary data loss in exposing credentials for other systems. Among the credentials were the keys for iPR's Twitter account, a password for a MongoDB hosted on mongolayer.com, and a Google API access key. As always, UpGuard researchers do not attempt to use discovered credentials, and so the access level provided by these is uncertain. However, the consequences of compromised credentials to social media accounts are well known and can result in blatant defacement or surreptitious private messaging.
A Python script named “social.py” that included credentials for hosted MongoDBs and a model for user data.
Twitter credentials also present in “social.py.”
Almost all of the modern internet is supported by marketing in one form or another. While digital advertising is the core revenue stream for platforms like Google, Facebook, and Twitter, businesses use their online presence to market to customers by distributing information about their products and gathering contact information from potential customers. As a large PR and marketing provider, iPR would generate and manage a centralized collection of that kind of data for their clients. When made public, the result is the exposure of information for hundreds of thousands of people attached to or targeted by PR and marketing efforts.
Download the executive summary
We'll email you a summary PDF containing three takeaways from this breach.