Fieldwork Software leaks data due to misconfigured database

• The leaky database contained a variety of information such as names, addresses, phone numbers, emails and communications between users and clients.
• Apart from these, there were other datasets which proved to be more serious.

A database linked to Fieldwork Software had leaked 26GB of data belonging to its business clients. The database was not protected with a password and was left open for access on the internet.

What data is involved?

In a blog post, vpnMentor researchers Noam Rotem and Ran Locar revealed that the leaky database contained a variety of information. This included names, addresses, phone numbers, emails, communications between users and clients, instructions and photos of work sites.

Apart from these, there were other datasets which proved to be more serious. These datasets contained GPS locations of clients, IP addresses, billing details, signatures and credit card details - card number, expiration date, and CVV code.

“The most impactful piece of information we discovered in the database was an auto-login link that gave anyone direct access to a company’s backend system. Records in the backend included detailed and sensitive client information, as well as an extensive amount of the company’s administrative infrastructure,” added the vpnMentor researchers.

Worth noting

The researchers noted that access to the portal is particularly dangerous. A bad actor can take advantage of the stolen information to lock the company out of the account by making backend changes.

While the logs visible in the database are only 30 days old, they contained appointment times and instructions for accessing buildings including alarm codes, lockboxes codes, passwords, and descriptions of where keys were hidden.

What has been done about it?

Fieldwork Software was informed about the leak, following which it took necessary steps to secure the unprotected database. The leak was closed within 20 minutes of receiving the researchers’ email.