Proving that accidentally exposing sensitive information and data theft can be bipartisan, leaks of personal information have been siphoned out from databases connected to both presidential campaigns.
On the blue side, records of nearly a thousand donors to a political action committee (PAC) supporting Hillary Clinton were stolen between January and April. The data was housed in a spreadsheet residing on Amazon's cloud. It was detected by security researchers at the MacKeeper Security Research Center.
The database belonged to the Balance of Power PAC, a California-based organization, which backs Clinton's campaign and advocates for progressive causes.
The purloined information included names, email addresses, home addresses, occupations and phone numbers. Donation amounts and methods of payment were also breached, though personal financial data was not part of the spreadsheet.
The PAC's treasurer said the data was hosted by a New Zealand-based software company, BuddyBid, which, he added, the PAC ceased doing business with months ago.
On the red side, dozens of résumés of a number of people who applied for internships with the campaign of Republican presidential hopeful Donald Trump were exposed owing to a misconfigured setting on the Amazon S3 server hosting the candidate's website.
Chris Vickery, lead security researcher of the MacKeeper security research team, said in a blog post on Wednesday that after discovering Trump's asset repository, he poked around and detected a folder named “resumes.”
Because the site designer configured automated script to move files into the résumé directory, Vickery said he figured out how an automated script would assign names. He began with “resume_1.pdf,” which loaded a download dialogue window. "The file contained a glut of personal details, work/education history, and references for a young person hoping to become an intern with the Trump campaign," he wrote on his post.
He was quickly able to gain access to two dozen names via basic filename fuzzing; for instance, “resume2.docx” to “resume_9.pdf” and “resumeDT.pdf.”
No comments:
Post a Comment