The target: Frost & Sullivan, a US based business consulting firm.
The take: 6,000 customer records containing: client name, email address, the company contact. 6146 employee records containing: first and last names, login names, email addresses, and hashed passwords.
The attack vector: Due to a misconfigured, public-facing sever, the data was stolen from an unsecured backup folder which contained readable databases and company documents. The information was then put up for sale on a known hacking forum.
This breach highlights the importance of a firm’s security posture for publicly accessible file containers. Since sensitive information such passwords were included in the leak, credential stuffing attacks could easily be carried out to great effect.