vpnMentor‘s research team has found a breach in the xSocialMedia database.
Noam Rotem and Ran Locar, the company’s leading cybersecurity researchers, discovered vulnerabilities in multiple databases operated by xSocialMedia. Nearly 150,00 personal records were exposed, but that’s not all they found. This included deeply personal medical testimonies, identifying information, and contact information for users. Additionally, we were able to access a list of xSocialMedia’s invoices, customer data, and exact numbers from their advertising campaigns for injury-check.com. The xSocialMedia leak allows access to names, addresses, phone numbers, and medical history that were provided by their leads.
Timeline of Discovery and Reaction
– June 2: Researchers discovered the leak in xSocialMedia’s database
– June 3: Linked the breach back to xSocialMedia
– June 5: Researchers contacted xSocialMedia about the breach
Examples of Entries in the Database
xSocialMedia is a Facebook marketing agency that focuses on running campaigns for medical malpractice lawsuits. According to their website, they create Facebook ad campaigns for 230+ clients. Their ads have generated over 16,000 leads.
The ads that xSocialMedia post on Facebook lead users to a variety of “injury-check.com” domains, depending on their specific ailments. Examples include https://ied-fund.injury-check.com and https://ivcfilter-risk.injury-check.com. xSocialMedia lists 10 different kinds of injury lawyers that they work with. Once Facebook users have entered one of the injury-check.com domains, they are encouraged to fill out a form with their medical data to see if they qualify for legal assistance. We could access almost 150,000 responses to these forms. All of the entries are tagged with “xsocial_submission_id”, which demonstrates that these form submissions were sent by those who clicked on one of the Facebook ads.
The exposed data includes:
– First and last name
– Email address
– Street address
– Phone number
– IP address
– Circumstances of the injury
– Explanation about the injury
The injuries described in the database vary from combat injuries suffered by American veterans to injuries caused by medical devices, pesticide use, medication side-effects, and defective baby products. This included deeply private symptoms people are suffering from, further to this, using the information provided in the database, we could easily find their social media accounts and location using their IP address. This also gave us insight into their employment situation, giving a hacker with the wrong intentions the ability to ruin or threaten victims’ professional reputations.
Additionally, xSocialMedia didn’t just leak private data regarding their leads. Their database also leaked their own bank account information in invoice records they sent to clients revealing clients’ names, business information, and the specific amount each company is paying xSocialMedia. We can also see more than 300 different clients who are collecting data in order to build lawsuits. Alongside this, we were also able to view the code for their website forms, as well as metrics for their Facebook ads.
Data Breach Impact
This data breach has far-reaching consequences, especially because of the sensitive health data included in xSocialMedia’s database. Medical records are heavily protected in the US by HIPAA laws. Practitioners and other healthcare providers cannot release any identifying information about their patients without written permission. These laws can protect patients’ welfare, their families, and their jobs. Healthcare providers cannot even confirm a patient to an outside party without a release. Patients may worry that if their workplace, for example, had open access to their medical records, it could be used against them. The only data allowed to be released outside of designated channels is data that does not have any identifying information attached.
Based on the testimonies in xSocialMedia’s database, many of these people were recording their private medical issues. Some may not have disclosed these symptoms to anyone but their doctors. They may fear losing their jobs or how their friends and family will treat them if their symptoms were public knowledge. Some may worry about being shamed for their medical conditions, or even blackmailed.
Not only that, these people can be easily traced by the identifying information attached to their testimonials. A bad actor could take this information and use it to test the security of these people’s other accounts. Given the number of veterans with detailed accounts of their injuries in the database, terrorists could take advantage of their data to harm them further as an act of revenge.
The people who filled out the forms linked in xSocialMedia’s ads were already suffering from medical problems that caused enough pain and trauma that they were looking for legal help. Discovering that their data was leaked without permission could easily add to their trauma. xSocialMedia should have taken more care to secure their databases before they began collecting private medical information. The firm itself may not be subject to HIPAA compliance because patients are free to disclose their health information to the parties of their choice. However, in this case, many patients did not expect the possibility that their testimonies could be released to the public.
xSocialMedia specifically focuses its Facebook ad campaigns on the medical malpractice industry. It’s a breach of ethics to not have higher security measures in place from the start. Furthermore, this data leak doesn’t just hurt those suffering from medical malpractice, it hurts xSocialMedia’s business as well. Future law firms may be less inclined to work with a company that experienced such a widespread breach. Additionally, if a rival marketing company has access to xSocialMedia’s metrics, they can use that for their own gain.
How the team discovered the Breach
vpnMentor’s research team found the breach through a web-mapping project. Headed by Ran and Noam, the team scans ports looking for familiar IP blocks. They use these blocks to find holes in a company’s web system. Once these holes are found, the team looks for vulnerabilities that would lead them to a data breach. Using their expertise, they examine the database to confirm its identity. Once we’ve found the leak, we contact the company to alert them to the data breach. When possible, we also notify those affected by the leak. We do this to make the internet safer for all users.
Advice from the Experts
This data leak could have easily been avoided. Companies can take several basic security measures to prevent or patch a data leak by using the following tips:
– Secure your servers.
– Implement proper access rules.
– Never leave a system that doesn’t require authentication open to the internet.
For a more in-depth guide on how to protect your business, contact the team to learn how to secure your website and online database from hackers.