May 21, 2022

A WiFi software management company exposed the data of millions of users

Brazilian WiFi management software company WSpot exposed extensive details of leading companies and millions of customers.

WSpot provides software for businesses to secure their on-premise WiFi networks and offer password-free online access to their customers. Some of WSpot’s notable clients include Sicredi, Pizza Hut, and Unimed.

According to WSpot, 5% of its customers were affected by this leak. However, he maintains that financial information is never collected from customers, so financial data is not included in the leak.

About the leak

Safety research firm SafetyDetectives discovered the leak and discovered that WSpot had a misconfigured Amazon Web Services S3 bucket. Apparently, this bucket was unprotected and open to public access, which resulted in 10 GB of visitor data being exposed.

The bucket was discovered on September 2 and WSpot was notified on September 7, after which the company was able to secure it immediately. The Brazilian company confirmed that its servers remained intact and threat actors did not invade them.

SEE: Brazilian market integrator Hariexpress exposed 1.75 billion records

In addition, there is no indication that unauthorized third parties have accessed the exposed information. The company says it has hired a security company to investigate the incident.

What was exposed?

About 226,000 files were exposed in this data leak. The leaked information included the personal details of at least 2.5 million users who connected to the WSpot client’s public WiFi networks.

Additionally, according to analysis by SafetyDetectives, the information exposed included details of who accessed the companies’ WiFi service, which includes full name, full address, email address, and phone numbers. taxpayer registration, as well as the plain text login credentials created by users when they register for the service.

Email addresses and passwords exposed in plain text format. (Image credit: SafetyDetectives)

In their blog postSafetyDetectives explained that:

“We discovered two different file types exposed on the open database: SMS logs and guest reports. There may be more information exposed that was not visible in our sample data. 84 MB of files containing SMS logs were found in WSpot’s database. There were approximately 280,000 such log entries. SMS logs disclosed two forms of personal and confidential visitor data. This data belongs to people who have connected to the WiFi of each WSpot client.

WSpot confirmed the leak

According to ZDNet, WSpot confirmed the leak. The company Explain that the leak was caused by “insufficient standardization in the management of information”, which was stored in a specific folder. The company further indicated that it was already addressing the issue since SafetyDetectives notified it and technical procedures were completed on November 18.

SEE: Brazilian cosmetics giant Natura leaked 192 million records with payment data

A company spokesperson said it has yet to contact the National Data Protection Authority regarding the incident and that WSpot will resolve any legal issues. It is also unclear whether the company informed affected users or not.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.