TV remote on a background of the smart TV showing FOX data leak

FOX Data Leak Exposed 13 Million Records Including Potentially Sensitive Information

A FOX data leak reportedly exposed at least 13 million records, including personally identifiable information and content management data via a cloud storage configuration error.

According to a Website Planet research team led by Jeremiah Fowler, the 58 GB trove was left open without a username or password, allowing anybody with an internet connection to access it.

Fowler noted that the leak posed a significant threat by exposing the environment’s backend structure, technical information, and internal email addresses.

Which information was exposed in the FOX data leak?

Website Planet research team indicated that the data leak exposed “FOX content, storage information, internal Fox emails, usernames, employee ID numbers, affiliate station information” and other details. According to FOX however, the only employee information that was leaked were business email addresses.

Fowler said the digital asset management database displayed an “internal collaborative environment divided by users, administrators, and content.”

The security researchers noted that the data leak also exposed at least 65,000 names of celebrities, guests, cast, and production crew and their internal Fox ID reference numbers. FOX highlights however that the only references to any talent is publicly available information.

Similarly, technical information such as event logging, host names, host account numbers, IP addresses, interface, and device data, among other details were exposed in the FOX data leak.

“Two of the Open Web Applications Security Project (OWASP) recommendations focus on preventing unauthorized access to the data and applications,” James McQuiggan, a security awareness advocate at KnowBe4, said. “When organizations, contractors, and third-party suppliers work on data that contains personally identifiable information, they must have policies, procedures, and audits requiring password protection and data encryption.”

McQuiggan added that developers could support organizations’ data protection policies if provided with “robust security education and training.”

However, Willy Leichter, CMO of LogicHub, blames some developers for “thinking that security rules don’t apply to them” or that their processes are immune to hacking.

Fowler indicated that the unsecured database posed a significant risk. According to the blog post, 701 email addresses were linked to reference ID numbers, security, and user roles indicating who could publish, edit, or delete content.

How hackers could exploit exposed information in the FOX data leak

The research team posited that the exposed email addresses could be leveraged by fraudsters to carry out phishing attacks.Hackers could also have encrypted the unsecured database, making it unavailable and demanding a ransom. Additionally, hackers could also insert malicious code to identify the platform’s vulnerabilities for future attacks.

The leak also exposed how data is stored, content delivery paths, FTP paths, and content storage locations. This information exposed how the network operates from the backend, providing attackers with valuable intel.

Fowler also noted that most internal records were marked “prod” indicating that they belonged to production environments. Additionally, the data leak had links to “theplatform” referring to Comcast Technology Solutions for online video management, monetization, and syndication for media networks.

FOX downplays a massive data leak

FOX disputed Fowler’s assertions, claiming that the database was for development and “not connected to any production environment.” The media agency added the URLs and IDs were no longer in use at the time of discovery.

“Using real or realistic data at scale is an important test for most systems before they go live. But this is where we see developers get careless, or simply disregard security best practices,” Leichter said. “The almost 13 million records exposed could have fit on a single USB stick, and the data was likely shared by multiple developers – who probably felt password protection was a hassle.”

Subsequently, FOX said it was reviewing logs to determine if there was any anonymous access to the exposed database.

The research team could not determine how long the records were accessible or if an unauthorized third party had accessed them. However, research suggests that hackers discover unsecured AWS servers in less than ten minutes.

Fowler and his team praised the Fox Security Team for acting “fast and professionally” in addressing the data leak.

He added that their discovery highlighted the dangers of misconfigured cloud databases and raised awareness.

“We advise any company or organization that has a data incident that affects any environment that uses real data to consider changing administrative and user credentials,” Fowler said.

Kevin Novak, Breakwater Solutions, said the fast and easy transition to public cloud providers such as Google Cloud, Microsoft Azure, and Amazon Web Services provides a false sense of security to many organizations.

“While in-house, captive data centers are certainly not immune to accidental misconfigurations (particularly as it pertains to things like leaving remote access portals accessible through the firewall), these environments have been around much longer, and the hardening of these environments tends to be slightly more well-understood,” Novak said.

Novak advised organizations to “enforce mature, tested security controls and governance protocols” to avoid becoming the next news item.

“A large number of incidents and breaches can be traced back not to aggressive attacks, but rather to simple technical or human error,” said Erfan Shadabi, a cybersecurity expert with comforte AG. “In this incident, a configuration error exposed millions of internal records, including PIIs on employees.

“Enterprises should take heed of this very common situation and invest in more effective data protection methods that are readily available in the marketplace, including data-centric technologies such as tokenization and format-preserving encryption.”

CORRECTIONS (April 20, 2022): Amended Fox News to FOX and added clarifications on the leaked data.