The Cybernews research team found that the Dutch encryption software company ENC Security leaked its configuration files and certificates for 1.5 years. The company said the issue was due to a misconfiguration of a third-party provider whose data was stored inside the affected server. The vendor corrected the issue immediately after receiving the notification.
“Data that has been leaked for about 1.5 years is a goldmine for hackers,” said Cybernews researcher Martynas Vareikis. Attackers can use the exposed data for a variety of cyberattacks, from phishing to ransomware, he said.
The leaked data included:
- Simple Mail Transfer Protocol (SMTP) credentials for sales channels. Can be used for phishing by sending fake invoices to customers or spreading malware through trusted email addresses.
- Adyen keys of a single payment platform.
- Email marketing company Mailchimp API keys. They allow the company to create mass marketing mailings from the company’s real email and “collect” potential customers.
- API keys for payments. Disclose confidential customer information.
- HMAC message authentication codes.
- Keys and certificates stored in the ".pem" format (a file format for storing and sending cryptographic keys and certificates) can open access to the server or even lead to server takeover.
The data was available from May 27, 2021 to November 9, 2022. The server was shut down after Cybernews reported a vulnerability in ENC Security.
USB keys from Sony, Lexar, Sandisk and other storage devices come with data encryption software developed by ENC Security. The Dutch company with 12 million users worldwide offers "military-grade data protection" solutions with its popular DataVault encryption software. ECN Security reports that its product is downloaded more than 2,000 times a month.