Canadian unicorn startup FreshBooks, which develops cloud accounting software, has been found to have left an Amazon Web Services (AWS) Storage bucket containing sensitive employee information unprotected on the internet. Cybersecurity researchers have claimed that this has put more than 30 million users in over 160 countries at risk of identity theft and other cybercrimes.
The Cybernews research team issued the alert after discovering the database in late January 2023. Although it initially appeared to hold storage images and metadata of the company’s blog, deeper analysis revealed backups of the website’s source code, site information, configurations, and login data for 121 WordPress users. The login data, which included usernames, email addresses, and hash passwords, belonged to the site’s administrators and was hashed using the “easily crackable” MD5/phpass hashing framework.
According to the researchers, threat actors could have accessed the website’s backend with this information and made unauthorized changes to its content. Additionally, by analyzing the source code and finding other vulnerabilities to sell or exploit, they could have caused further damage. A 2019 server backup contained “at least five” vulnerable plugins that were installed on the website at the time, the researchers found.
While the website’s login page to the admin panel was secure and not publicly accessible, attackers could still bypass this security measure by connecting to the same network as the website or finding and exploiting a vulnerable WordPress plugin. In a worst-case scenario, they could have installed malicious software, moved laterally throughout the network, and stolen sensitive data.
FreshBooks has not yet commented on the matter.
