Database of the Cricketsocial.com platform left open online

CyberNews reported that Cricketsocial.com, a social platform for the cricket community, exposed private customer data and admin credentials.

Cricketsocial.com, is a social platform developed for the cricket community online. CyberNews discovered that a database used by the platform was left open online, it contains a huge trove of data.

The Social platform for the cricket community exposed over 100k entries of private customer data and credentials.

The database, hosted by Amazon Web Services (AWS) in the US, contained admin credentials and private customer data, including email, phone numbers, names, hashed user passwords, dates of birth, and addresses. The experts noticed that most of the records in the database seem to be test data, however, the experts discovered it also includes personally identifiable information (PII) of legitimate site users. The data stored in the database includes posts, comments, number of likes, and links to images kept on the AWS storage bucket.

The experts discovered the database also exposed plaintext credentials for a website administrator account, a piece of information that could allow an attacker to take over the platform.

The storage of passwords in plaintext is a bad practice that could advantage threat actors while targeting an infrastructure

Experts also found a second open instance of the database owned by cricketsocial.com that contains all the same types of information found in the first one. However, the second database was much smaller, likely because it was part of a development and quality assurance environment.

Experts warn that threat actors can use multiple tools to distinguish test data from real ones.

“Even if all the information stored was test data, leaving data in plaintext is a poignant indication of bad security practices being employed. That creates unnecessary risks for unsound practices creeping into the production environment if left unchecked,” researchers conclude. “information can be sold for substantial amounts of money. Threat actors could later use this information for identity theft or spam.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cricketsocial.com)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.