Maropost Leaked Over 19 Million Unique Email IDs via an Unprotected Database

• A marketing giant has leaked 95 million records, exposing over 19 million unique email IDs.
• The company failed to answer to the notices sent on all possible communication channels for two months.
• The CEO of the firm disregarded the finding by saying it’s all testing data, but the researchers claim that it isn’t.

A team of researchers working for CyberNews has discovered an unprotected database containing 19,213,884 unique email IDs belonging to Maropost’s clients and their customers. Maropost, who is also the owner of the leaking database, is a “unified customer engagement platform,” or a data-driven marketing firm if you prefer. The Toronto-based company provides its services to thousands of high-profile brands such as Mercedes-Benz, Hard Rock Cafe, Rolling Stone, Mother Jones, Shopify, Scott, New York Post, Yext, and Fujifilm. The database in question contained information that was generated for marketing campaigns for the account of its clients.

Source: CyberNews

The exposed data includes 19.2 million unique email IDs from a total of 95 million records, email logs, metadata, and more. It looks like the unprotected database was holding the entire customer base of Maropost, and by extension, the customer base of its clients. The data remained online and accessible for an unknown period, placing the exposed individuals at risk of receiving spam, having their passwords brute-forced, or receiving targeted phishing attacks. As for Maropost’s clients, they most probably already lost their marketing lists to competitors, which means seeing a significant investment going down the drain.

Cybernews reports that informing Maropost of the security incident was a surprising adventure by itself. Apparently, they first tried to contact them on January 30, 2020, by sending notices to both the “privacy” and the “support” email addresses to no avail. Next, they tried live chat, but the customer support agent closed the conversation upon receiving the disclosure notice instead of approaching the issue. Then, the researchers hopped on Twitter and contacted both Maropost and its CEO via DM (direct message), but both accounts ignored them. Then they tried LinkedIn, where they located the CTO and sent him a message, but again, they received no response.

By now, they had noticed that Maropost was operating with its ears closed and even started to wonder if the company even existed. So, they re-sent emails on every possible official account they could find online and tried to call them, but no one picked it up. Finally, they tried the live chat again. Still, the agent told them that “the concerned team is unavailable as of now,” and after two full months, on April 1, 2020, they finally got a response. Maropost’s CEO, R. A. Paquette, answered to one of the emails that CyberNews had sent, telling them that the exposed information was nothing else than randomized data that they were using for internal testing. The researchers dispute this claim, as their confirmation tests showed that the email addresses are real, and any messages sent to them are delivered.