VPNMentor researchers have discovered consumer audio giant Sennheiser has accidentally left open an old cloud account containing customer data.
VPNMentor researchers have discovered consumer audio giant Sennheiser has accidentally left open an old cloud account containing customer data.
On October 28, 2021 Researchers Noam Rotem and Ran Locar of VPNMentor discovered an unsecured Amazon Web Services (AWS) server online containing data of over 28,000 Sennheiser customers.
According to Sennheiser, the server contained data collected from the public through it various activities.
Sennheiser failed to implement any security measures and data was accessible to anyone with a web browser.
Researchers identified the data by files with company names and employee information.
“Sennheiser failed to implement any security measures on its S3 bucket, leaving the contents totally exposed and easily accessible to anyone with a web browser and technical skills. We quickly identified Sennheiser as the owner of the data due to several factors, including files with the company’s name and Sennheiser employees listed in the bucket’s infrastructure.” said in the post published by VPNMentor.
Immediately after confirming the owner of the data, the researchers notified the company about the data on October 28, 2021. The company responded a few days later and secured the data.
The S3 bucket had over 55GB of data of over 28,000 customers collected between 2015-2018
The exposed data includes customers personal information such as:
- Full names
- Email addresses
- Phone numbers
- Home addresses
- Names of companies requesting samples
- Number of the requesting company’s employees
The bucket also contained 4GB of backup data which was protected.
The impact of the data breach affected Sennheiser’s customers and suppliers globally, but the majority of the affected customers are in North America and Europe.
“Once we confirmed that Sennheiser was responsible for the data breach, we contacted the company to notify it and offer our assistance. Sennheiser replied a few days later and asked us to give details of our findings. We disclosed the URL leading to the unsecured server and provided further detail about what it contained. Despite not hearing back from the company again, the server was secured a few hours later.”
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?