Posted on March 21, 2020 at 1:45 PM
Open Exchange Rates, an online exchange rate data provider, has recently exposed its user data through an Amazon database. The amount of user data has not been disclosed, but the announcement itself was published through Twitter this week.
Announcing A Breach In User Database
The company itself is a provider of foreign exchange data, doing so for more than 200 currencies across the globe, digital currencies included. Any software developer can gain access to it, by leveraging the API of the company. This allows applications to query Open Exchange Rates’ service, which can then deliver the results in either a machine- or human-readable format, .JSON.
The company runs this service through the leveraging of the Amazon Web Services cloud network. However, the company was subject to a security breach that had occurred as early as the 9th of February, 2020.
The announcement of the breach itself came on the 12th of March, 2020, with the company sending notifications to its customers then. Sylvia Van Os tweeted this notification to the public, van Os being an Open Source and Linux engineer.
An Express Attack Against The Company
What’s important to note, is that this data breach seemed to be a targeted attack, instead of the typical AWS exposure incidents usually reported.
This data breach wasn’t attributed to an S3 bucket exposure or public database access, which was done through a database or cloud misconfiguration. Instead, it seemed like a malicious actor had expressly targeted Open Exchange Rates.
The company stated that reports started to come in, in regards to its API’s performance back on the 2nd of March, 2020. This, in turn, led the company to a misconfiguration within its network. However, when the problem was fixed, it came out that an unauthorized account had been meddling with the AWS environment, having caused the misconfiguration, to begin with.
Through the announcement, it’s revealed that this unauthorized account had been leveraging a compromised secure access key to change the AWS environment.
Long-Term Exposure To User Data
When the company shut off access to this user to fix the issue, it was found that this account had managed to gain access to a database containing user data. Through the public statement, the company explained that there is evidence showing that this data had been extracted from its network. However, the company was quick to affirm the fact that they were still investigating this issue.
The data that was breached include that of registered names and email addresses. Furthermore, there were encrypted account access passwords, IP addresses of various users, as well as tokens that are used to authenticate querying applications.
To add insult to injury, should a user have divulged his personal address, business address, web address, or country of residence, this information was also compromised in the breach.
Warnings Of Identity Theft And Fraud
The statement warned the public that these criminals could leverage the data that could have potentially been extracted. Everything from social engineering, fraud, and identity theft could be leveraged from the possibly extracted data. Not an excellent light to put themselves in, but essential to address, regardless.
In order to try and protect its users, Open Exchange Rates has enacted precautionary measures. These measures include resetting all the passwords of its various users. Furthermore, customers have been expected to reset their application tokens, as the company felt like people could leverage it to use its services on the dime of some unwilling victim.
Wise Men Stay Silent
As it stands now, the company as refrained from giving further comment about the matter at large. For now, this may be the best decision, as a public statement taken the wrong way would damage sentiment.
The company will doubtlessly take a hit in public opinion due to this breach, but it’s important to remember that trying to prevent cybercrime is like trying to push against the sea.
The larger a target a company is, the more attempts are made to breach it. By virtue of quantity, some go through. All the company can do is prevent it from happening in that specific way, ever again.