Weak response
The researchers identified many large organizations whose data was exposed in the URLs, including those in government, critical national infrastructure, healthcare, banking, and even a prominent cyber security company.
One curious discovery was data posted by an MSSP: the Active Directory (AD) username and email credentials belonging to one of its clients, a large US bank. Given that the data wasn’t valid JSON, the researchers surmise that the individual who posted the data was simply using the service to generate a URL through which to share credentials.
When the researchers tried to alert the affected companies to their data leaks, they were often ignored. “Of the affected organizations that we tried to contact, only a handful (thank you) responded to us quickly. The majority didn’t bother, despite attempts at communication across multiple channels,” said watchTowr principal researcher Jake Knott, in a blog.
