leak
  • An email marketing company has exposed over fifty million email addresses belonging to its customers.
  • The leak happened through an unprotected database that could have compromised the firm’s internal network too.
  • The company has remained silent about the incident so far, although they should have alerted the authorities.

Pabbly, an email marketing firm, has blundered hugely by leaving an unprotected database online. This means that anyone with a Web browser and a motive to search for it online could have accessed approximately 51.2 million records. The discovery was the work of researcher Jeremiah Fowler, and the date when the specialist found the database is January 24, 2020. Pabbly was notified almost immediately and they responded by restricting public access to the database after a couple of hours. However, they didn’t provide any explanation, clarifications, or any official statement about the incident.

According to the researcher, the database contained 50.6 million email addresses that were used by customers of the platform. The database also contained IP addresses, ports, pathways, storage info, internal logs, etc. This means that a visitor would not only be able to access the data, but also to edit, download, and delete the records, all without having to use any admin credentials. Moreover, a skilled actor could easily penetrate deeper into the network of Pabbly, since the database offered the information to open the door to the corporate network of the firm.

pabbly database
Source: Security Discovery

So, what would crooks do with a large number of email addresses? Spam would be the de-facto way to take advantage of millions of valid email addresses. A secondary scenario of exploitation would involve phishing attacks, although the accompanying information to make these effective is missing in this case. All of these emails were previously used for legitimate marketing purposes, but if they fell into the wrong hands now, they will be used for relentless spamming. Unfortunately, there’s no way to unsubscribe from these mailing lists, so the owners of these email addresses will have to deal with the situation by using spam filters, or hop to a new address entirely.

Pabbly is based in Bhopal, Madhya Pradesh, in India, and the law there obliges entities to inform the authorities if a leak has affected a large number of individuals. Until now, Pabbly hasn’t informed anyone about the incident, and the exact number of the exposed users, as well as the length of the exposure, are still unclarified. Hopefully, now that the matter has gone public, the company will take responsibility for the incident and the Indian authorities will impose the appropriate fines that correspond to this mishap. The only way to force companies to handle people’s data with the care they deserve is to compel them to do so.