Company name and location: Beetle Eye, located in the USA
Size (in GB and amount of records): 1+ GB of data, 6K files
People affected: 7 Million (approx.)
Data Storage Format: Amazon S3 bucket
Countries Affected: Primarily USA
The Website Planet research team uncovered a large data breach affecting the American marketing automation platform Beetle Eye.
Beetle Eye is an online tool that allows marketers to streamline their email marketing campaigns.
The company left its Amazon S3 bucket open, exposing data belonging to an estimated 7 million people.
Leads’ Data Exposed
Beetle Eye’s AWS S3 bucket exposed more than 6K files, totaling over 1 GB of data. The incident occurred because the bucket was misconfigured; it was left without any password protection or encryption.
Exposed records contained several forms of PII. Specifically, this data relates to the “leads” of the companies using Beetle Eye’s marketing automation platform. In other words, the data exposed most likely belongs to potential customers of Beetle Eye’s clients.
A lead is a person who has been identified by a marketing team as a potential customer for a business. A person may become a “lead” because they have shown an interest in a product/service, or because a company acquired their contact details. Businesses will prepare information on leads to help conduct direct marketing communications.
We found more than 10 different folders in Beetle Eye’s open bucket. Each file within these folders contained data for one of the exposed clients. As such, there were three different datasets on Beetle Eye’s bucket: Unnamed leads, GoldenIsles.com leads, and Colorado.com leads.
Each dataset contained slightly different collections of PII.
Unnamed Leads
Unnamed leads data contained numerous forms of lead PII that were collected for an unnamed organization. In the portion of files we analyzed, we found around 8.5K log entries of unnamed PII. The true volume of records is likely far greater as we only checked a sample of records for ethical reasons. “Change of address” information featured among the unnamed dataset’s logs.
“Change of address” (COA) information is typically associated with a citizen’s official request to change their postal address. The AWS S3 bucket contained records of peoples’ old and new postal addresses, which is why we think these are “change of address” records.
The lead PII in unnamed leads includes:
- Full names; first names and surnames
- Addresses (current and previous)
- ZIP codes (current and previous)
- Cities (current and previous)
You can see evidence of unnamed PII, along with “COA Match Flag” and “COA Move Type” fields below.
Logs containing the PII of leads, collected for an unknown source
GoldenIsles.com Leads
The second set of data was collected for the Golden Isles tourist board and its associated website, GoldenIsles.com. We found over 320k log entries of data relating to the leads of GoldenIsles.com in the portion of files we analyzed. However, there were likely more log entries contained in other files of this type.
GoldenIsles.com leads files contained several forms of lead PII, along with survey answers and data collection information:
- Full names; first names and surnames
- Addresses
- Email addresses
- Phone numbers (in some cases)
- Company name (if any)
- Data collection information; i.e. where the data on leads were acquired
- Survey answers; questions and each lead’s answers relating to the Golden Isles and GoldenIsles.com
You can see evidence of GoldenIsles.com leads’ PII in the following screenshot.
Logs of GoldenIsles.com leads
Colorado.com Leads
The third dataset compiled information about leads for the official tourist board of the US State of Colorado, along with its website Colorado.com. We estimate there were a minimum of around 590K log entries of this type, although there were likely many more.
Colorado.com leads files contained several forms of lead PII, as well as survey answers:
- Full names; first names and surnames
- Addresses
- Email addresses
- Survey answers; questions and answers about Colorado and Colorado.com magazine subscriptions
You can see evidence of Colorado.com leads’ PII below.
Colorado.com leads
Beetle Eye’s bucket was live and being updated at the time of discovery.
Counts of logs for each dataset are minimum estimates based upon the sample of files we observed in the bucket. The true number of logs is likely far greater.
Estimates suggest 7 million unique users were exposed in this data breach. This estimate is based on a sample of roughly 0.124GB of .csv files, taking duplicates into account.
Beetle Eye assigns a unique ID to each “lead” on the database which helped us figure out the duplicates.
Beetle Eye may face various sanctions and damages as a result of this data exposure, while leads of the aforementioned organizations that use Beetle Eye’s platform could also suffer impacts from this data exposure.
Who Was Affected?
Beetle Eye’s misconfiguration ultimately affects potential customers of other organizations — entities using Beetle Eye’s platform.
Leads may be collected because they have shown an interest in a product or service from one of the organizations or because they provided their contact details. Once their data is logged on a database, businesses can contact each potential lead with the help of Beetle Eye.
Strangely enough, exposed leads on the database may have never done any business with each company, they are potential customers. This points to the vulnerability of our information and the trust we place in those who collect it — even if we don’t hand over money. For example, it appeared that one of the companies collected data across social media giveaways, email sign-ups, website cookies, and various other sources.
What’s more, roughly 99% of the users included in the bucket appear to be located throughout the United States. A small portion of the bucket’s content also belongs to Canadian citizens.
Who Was Exposing the Data?
Beetle Eye is based in Florida, USA. The company offers a marketing and CRM tool for email marketing campaigns.
Beetle Eye’s product allows marketers to manage email campaigns and maximize lead generation, from automating mass email sending to editing subscription lists. The CRM aspect of Beetle Eye’s platform helps users organize and analyze prospective customers.
Beetle Eye currently employs a handful of employees and has an estimated annual revenue of <$5 million (as per Zoominfo). Other than GoldenIsles.com and Colorado.com, Beetle Eye has top clients including the Hilton Sandestin Beach, the Marigot Bay resort, and Miles Partnership (Note: We didn’t find any data related to these other brands in the bucket).
We know that Beetle Eye owns the misconfigured Amazon S3 bucket because of references to the company inside the bucket.
Impact on Exposed Users
We cannot know whether malicious hackers have accessed the personal data stored on Beetle Eye’s database. However, with no authentication in place, other individuals could have found the bucket and easily accessed its contents.
Exposed users could be at risk of various forms of cybercrime as a consequence of this data breach. Users should be aware of these cybercrimes to properly protect themselves from each threat.
Scams, Phishing, and Malware
Exposed users may be targeted with scams, phishing attacks, and malware. These attacks are possible because there are contact details available in a large portion of the bucket’s logs.
Criminals could contact users via email or phone, referring to the user by their first and last name to build trust. The criminal may pose as a representative of one of the exposed organizations.
Criminals could reference the preferences and survey answers noted on the files to appear as a salesperson, building a narrative around the reason for their message.
Once the victim trusts the attacker, the attacker will attempt to extort the victim for money or information. The cybercriminal could coerce the user into sending them a payment, perhaps for a fake service or product that the attacker has “sold” to the victim. This is a scam.
The attacker could also convince the user to click a link or provide additional forms of PII that could aid in further fraudulent crimes. Links could contain malicious software called malware which, once clicked, could download a malicious payload onto the user’s device. Malware can be used to steal the victim’s personal information, such as their bank account credentials. This type of attack is called a phishing attack.
Beetle Eye could be affected by phishing attacks too. Rival businesses could phish for intellectual properties or industry secrets from Beetle Eye.
Phishers could pose as a representative of one of Beetle Eye’s clients or as a Beetle Eye employee, referencing the exposed list of “leads” to build trust with Beetle Eye staff. From here, the attacker could ask questions about Beetle Eye’s business operations.
Competition Espionage
It’s worth mentioning that Beetle Eye’s exposed clients on the bucket could face the risk of competition espionage. Each organization’s exposed list of leads could be used by rival companies that gain access to the information. Rival businesses could target leads with their own marketing/sales communications, eventually stealing potential trade from Beetle Eye clients.
Impact on Beetle Eye
Beetle Eye could be impacted by this data breach as well. Beetle Eye may experience government sanctions and could also suffer from cybercrimes.
Data Privacy Violations
As mentioned, the bucket’s data appears to belong primarily to American citizens. If Beetle Eye has mishandled consumer data, the company could be subject to sanctions from the US Federal Trade Commission (FTC).
Beetle Eye may have broken the Federal Trade Commission Act (FTC Act) for exposing the personal data of US consumers. Under Section 5 of the FTC Act, the maximum fine for mishandling US consumers’ data is $100 million with the potential arrest of guilty individuals.
Status of the Data Breach
Identifying the owner of the unsecured Amazon S3 bucket was straightforward given the references and links to Beetle Eye.
The open bucket was discovered on September 9th, 2021. We sent a responsible disclosure of the data breach to Beetle Eye and Atlantis Labs (Beetle Eye’s parent company) on the same day. We sent two follow-up messages to Beetle Eye over the next two weeks. On September 15th, 2021, we sent a responsible disclosure of the breach to AWS and on September 21st, 2021, we sent a responsible disclosure to the USA Computer Emergency Response Team (CERT).
We received a reply from the CEO on February 14th, 2022, letting us know that the sensitivee files were removed.
Reply from BeetleEye’s CEO:
“We take the platform security seriously. As soon as this issue came to our attention, we immediately began an investigation and we started working immediately to fix the problem. The issue was fixed in a matter of hours. We determined that the main database was not compromised or accessed illegally. However, a breach involving some of the data buckets used to hold short-lived files may have occurred. We have secured this bucket, as well as reconfigured our entire system, to ensure the protection of our clients’ data. We have also implemented additional security measures to prevent any issues in the future.”
Protecting Your Data
People who have dealt with any of the organizations mentioned above should take precautionary measures to minimize their risk of exposure to cyber threats.
The abundance of contact details and PII makes phishing attacks and scams a real possibility. Users should be wary of any contact from an unknown source, especially if that source claims to be a representative of Beetle Eye, Colorado.com, or GoldenIsles.com.
Similarly, Beetle Eye employees should remain vigilant when receiving messages or phone calls from individuals who claim to be a fellow employee or a representative of one of the two exposed organizations.
Users and employees shouldn’t provide information or send money to unknown entities unless that individual can prove who they are and the legitimacy of their call/message.
Users should also take steps to avoid data exposure in the future. People must consider whether a service/website is worthwhile before providing personal details. When handing information over to companies and websites, people should only provide the minimum amount of personal details necessary.
We suggest Beetle Eye (and companies in general) always double-check their databases to make sure they are secure. It’s also advised companies assess the security of their databases at regular intervals.
How and Why We Report on Data Breaches
We want to help our readers stay safe when using any website or online product.
Unfortunately, most data breaches are never discovered or reported by the companies responsible. So, we decided to do the work and find the vulnerabilities putting people at risk.
We follow the principles of ethical hacking and stay within the law. We only investigate open, unprotected databases that we find randomly, and we never target specific companies.
By reporting these leaks, we hope to make the internet safer for everyone.
What is Website Planet?
Website Planet prioritizes honesty and serves as the top resource for web designers, digital marketers, developers, and businesses with an online presence. We offer tools and resources suitable for individuals ranging from beginners to experts.
We have an experienced team of ethical security research experts who uncover and disclose serious data leaks as part of a free service for the online community at large. This has included a breach in a famous European office supplier, as well as a breach in an Indian B2B online packaging marketplace leaking sensitive data.
You can read about how we tested five popular web hosts to see how easily hackable they are here.
