A database containing 95 million email records was sitting on a publicly accessible server for months, cybersecurity researchers from Cybernews have announced.
The database belongs to marketing firm Maropost, which provides services to more than 10,000 clients across the world, including The New York Post, Shopify, Fujifilm, Hard Rock Cafe and Mother Jones.
According to Cybernews, the database contains logs related to Maropost’s marketing campaigns, including 19,214,884 unique email IDs that were used in a total of 95 million records, as well as the apparent addresses of the company’s clients and their customers. The database also held associated metadata, such as the exact date and time emails were sent.
The researchers concluded that Maropost may have exposed its entire email marketing client base, including the customers of those clients.
Maropost CEO, Ross Andrew Paquette, claims the database contained randomised data the company used for internal testing. However, tests conducted by Cybernews suggest “at the very least, the email addresses appear to real and deliverable.”
Cybernews also criticised Maropost’s customer service, explaining it took almost two months to reach a staff member who would escalate the matter.
“The Maropost leak is yet another reminder that even after what could have been a record-breaking year for data breaches, data protection still needs to be higher on the priority list for many organisations,” added Cybernews.