• by Ray Schultz , April 10, 2020

Maropost, a marketing automation and email delivery platform based in Canada, has suffered a data breach, exposing millions of email addresses, CyberNews charges. Maropost acknowledges that an episode occurred, but points to limited timing and exposure.

The company says the vulnerable data was restricted to one Virtual Machine that had a subset of Message Transfer logs and had a data retention policy for six days.

Maropost adds that the log data contained a subset of email addresses of the recipients/contacts from a small group of Maropost Marketing accounts, but did not contain customer identifying information or sensitive data.

CyberNews writes that 19 million unique email IDs and email logs containing data including the time and date the emails were sent.

“This means leaving the database in the open might have resulted in the exposure of presumably the entire Maropost email marketing client base, as well as the customers of those clients,” CyberNews adds. 

Ross Andrew Paquette, CEO of Maropost, states: “We take security of all our clients’ data seriously. Our platform is hosted in state-of-the-art data centers.” 

“Our employees are required to complete annual security awareness trainings and their completion of the training tracked,” Paquette adds.

Whatever its extent, the problem had its origins in May 2019 when Maropost began working on a Proof of Concept to explore ElasticStack for a Centralized Logging Project, the company says.

Testing began early June 2019 with small local log files. The log content contained recipient email addresses with campaign ID, contact ID, account ID and status of the email sent — e.g., delivered, bounced,  etc., the company reports.

Roughly a month later, the Marosoft team applied a global rule to the Maropost Marketing Project in the Google Cloud Platform. 

Maropost says the global rule “left Port 9200 open to the public, instead of following our Tagging schema which restricts access to production machines to only authorized individuals.”  

The firm stopped the streaming of log data on the Proof of Concept virtual machine in mid-February of this year. Data on the server was aged due to processing time and limited storage.

And the virtual machine was shut down with the closure of the proof of concept project on March 30. The global firewall rule was deleted from the Maropost system on April 1 2020. 

The company heard from CyberNews on April 1. 

Maropost offers a range of says on its site ethat it sends billions of targeted emails each month. Its clients include the New York Post, Mother Jones, Scott and other brands.

Of course, there are bound to be issues and criticisms. 

One observer, Piyush Sharrma, chief technology officer at cybersecurity company Accurics, argues that “it is inexcusable for such issues to go undetected for months.”

Sharma continues, that email addresses “constitute personally identifiable information and attackers could use this information to launch a variety of attacks oriented towards identity theft, phishing attacks, email hijacking, and ransomware, which may ultimately result in financial loss for users. 

Paquette comments that “we understand that consumer privacy is critical in today’s environment and have always strived towards meeting and exceeding the expectations of the community at large.”

He adds, “We recognize the trust that our clients and indirectly their clients place with us and work hard every day to earn it. 

Sharma notes that “companies are cognizant of the need to eliminate manual misconfiguration errors and are adopting infrastructure as code technologies.”

But “that gives rise to a new set of challenges stemming from the need to govern the creation of infrastructure as code by disparate development teams across an organization,” Sharma continues.