Posted on November 23, 2021 at 12:44 PM

Brazilian user data exposed in a Wi-Fi management software firm breach

A firm in Brazil that offers Wi-Fi management software has come into the spotlight after data belonging to companies and millions of users was breached. The breach on the firm has left the affected individuals vulnerable to further attacks.

The Brazilian firm in question is known as WSpot. The firm is tasked with offering software services that will allow companies to create an on-premise Wi-Fi network and ensure that their customers can access this Wi-Fi without needing a password. However, the firm is now attracting attention after a breach on its systems was discovered by SafetyDetectives, a cybersecurity research company.

10GB worth of data exposed

The magnitude of this attack is not just in the number of customers and companies affected but also in the amount of exposed data. The researchers at SafetyDetectives stated that around 10GB worth of data has been exposed to the public. This data was left unsecured through a misconfigured Amazon Web Services (AWS) s3 bucket on WSpot.

SafetyDetectives discovered the breach on September 2, and it later issued a report of the same to WSpot on September 7. WSpot quickly responded to the breach and secured its systems as a patch was executed the following day.

Despite WSpot securing the breach, its extent was still heavy, and with 10GB worth of data exposed, individuals and companies have been left vulnerable to other online attacks. During this breach, around 226,000 files containing information were exposed, according to the SafetyDetectives researchers.

The researchers further noted that the information affected during this breach includes the personal details of around 2.5 million individuals. The individuals in question were compromised after they connected their devices to the public Wi-Fi networks offered by WSpot clients.

The companies that have signed contracts with WSpot have a diverse yet sensitive clientele. One of these firms include Sicredi, a financial services provider, and if the personal details of its clients were exposed, it could lead to phishing attacks. The other sensitive clientele of the form is Unimed, a healthcare firm.

Pizza Hut is also on WSpot’s client’s portfolio, and with the high number of daily customers on this franchise, the extent of the breach could go far and beyond.

The report from SafetyDetectives also notes that the information exposed during this breach includes the information offered by individuals who wanted to access Wi-Fi at the companies served by WSpot.

The obtained details include the full names of the clients, email addresses and their taxpayer registration numbers. The login credentials that were keyed in to register for the Wi-Fi access were also exposed.

These details are sensitive in that they can be used to conduct phishing attacks or even be used for a brute force attack on companies.

WSpot confirms breach

WSpot confirmed that indeed such a breach had happened. The firm explained that the breach was caused by the “lack of standardization in the management of information stored in a specific order.”

The firm also added that since it was confirmed about the breach on September 7, it has been working to address it and ensure that similar breaches in the future will not happen. The firm stated that it concluded the technical procedures to seal the breach on November 18.

The Brazilian company also assures its clients that its servers were not compromised during the breach and remain intact and functioning as normal. Besides, the company stated that there is no evidence to show that the data exposed during this incident was accessed by cybercriminals.

WSpot also stated that it had hired the services of a cybersecurity company to conduct an independent investigation into the incident. The full investigation will help unveil if there will be any effects on the company and its clients related to the leaked data.

The company further stated that the incident had affected 5% of its clientele base. It also stated that no sensitive details or business operations were compromised during the incident. Moreover, the firm stated that it does not store sensitive financial information such as credit card details or login credentials; hence such details could not be exposed.

The company has not issued a statement on whether it will notify the individuals who were compromised in the latest incident.  A spokesperson with the company has also noted that it is yet to lodge a report with the National Data Protection Authority regarding the incident.

However, the spokesperson stated that “all legal issues surrounding the case are being addressed by WSpot as thoroughly as possible, especially to ascertain the next steps.”