Thousands of medical injury claim records exposed by ad agency

An internet advertising company specializing in helping law firms sign up potential clients has exposed close to 150,000 records from a database that was left unsecured.

The database contained submissions as part of a lead-generation effort by X Social Media, a Florida-based ad firm that largely uses Facebook to advertise various campaigns for its law firm customers. Law firms pay the ad company to set up individual websites that aim to sign up victims from specific categories of harm and injuries — from medical implants, malpractice, sexual abuse and more — who submit their information in the hope of receiving legal relief.

But the database was left unprotected and without a password, allowing anyone to look inside.

Security researchers Noam Rotem and Ran Locar found the database and reported it to the company, which pulled the database offline. The researchers also shared their discovery exclusively with TechCrunch and posted their findings on vpnMentor.

The database contained names, addresses, phone numbers, the date and time of a person’s submission and the circumstances and explanation of their accident, injury or illness. Often this included personal health information, sensitive medical information, details of procedures or the consumption of certain medications or specifics of traumatic events.

Several records seen by TechCrunch include records from campaigns targeting combat veterans who were injured on duty. Other campaigns sought to sign up those who suffered illnesses from pesticides or medications.

Other campaigns included soliciting claims for sexual abuse. We found several names, postal and email addresses and phone numbers of victims, many of which also described their sexual abuse as part of filling out the website form.

One of the records in the database. (Image: supplied)

The researchers said the exposed data could be “easily traced” back to the individuals who filled out the website forms.… Read the rest

Apollo raises $22M for its GraphQL platform

Apollo, a San Francisco-based startup that provides a number of developer and operator tools and services around the GraphQL query language, today announced that it has raised a $22 million growth funding round co-led by Andreessen Horowitz and Matrix Partners. Existing investors Trinity Ventures and Webb Investment Network also participated in this round.

Today, Apollo is probably the biggest player in the GraphQL ecosystem. At its core, the company’s services allow businesses to use the Facebook -incubated GraphQL technology to shield their developers from the patchwork of legacy APIs and databases as they look to modernize their technology stacks. The team argues that while REST APIs that talked directly to other services and databases still made sense a few years ago, it doesn’t anymore now that the number of API endpoints keeps increasing rapidly.

Apollo replaces this with what it calls the Data Graph. “There is basically a missing piece where we think about how people build apps today, which is the piece that connects the billions of devices out there,” Apollo co-founder and CEO Geoff Schmidt told me. “You probably don’t just have one app anymore, you probably have three, for the web, iOS and Android . Or maybe six. And if you’re a two-sided marketplace you’ve got one for buyers, one for sellers and another for your ops team.”

Managing the interfaces between all of these apps quickly becomes complicated and means you have to write a lot of custom code for every new feature. The promise of the Data Graph is that developers can use GraphQL to query the data in the graph and move on, all without having to write the boilerplate code that typically slows them down. At the same time, the ops teams can use the Graph to enforce access policies and … Read the rest

Millions of Instagram influencers had their private contact data scraped and exposed

A massive database containing contact information of millions of Instagram influencers, celebrities and brand accounts has been found online.

The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records — but was growing by the hour.

From a brief review of the data, each record contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified and their location by city and country, but also contained their private contact information, such as the Instagram account owner’s email address and phone number.

Security researcher Anurag Sen discovered the database and alerted TechCrunch in an effort to find the owner and get the database secured. We traced the database back to Mumbai-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts. Each record in the database contained a record that calculated the worth of each account, based off the number of followers, engagement, reach, likes and shares they had. This was used as a metric to determine how much the company could pay an Instagram celebrity or influencer to post an ad.

TechCrunch found several high-profile influencers in the exposed database, including prominent food bloggers, celebrities and other social media influencers.

We contacted several people at random whose information was found in the database and provided them their phone numbers. Two of the people responded and confirmed their email address and phone number found in the database was used to set up their Instagram accounts. Neither had any involvement with Chtrbox, they said.

Shortly after we reached out, Chtrbox pulled the database offline. Pranay Swarup, the company’s founder and chief executive, did not respond … Read the rest

Job recruitment site Ladders exposed 13 million user profiles

Ladders, one of the most popular job recruitment sites in the U.S. specializing in high-end jobs, has exposed more than 13.7 million user records following a security lapse.

The New York-based company left an Amazon -hosted Elasticsearch database exposed without a password, allowing anyone to access the data. Sanyam Jain, a security researcher and a member of the GDI Foundation, a nonprofit aimed at securing exposed or leaking data, found the database and reported the findings to TechCrunch in an effort to secure the data.

Within an hour of TechCrunch reaching out, Ladders had pulled the database offline.

Marc Cenedella, chief executive, confirmed the exposure in a brief statement. “AWS confirms that our AWS Managed Elastic Search is secure, and is only accessible by Ladders employees at indicated IP addresses. We will look into this potential theft, and would appreciate your assistance in doing so,” he said.

TechCrunch verified the data by reaching out to more than a dozen users of the site. Several confirmed their data matched their Ladders profile. One user who responded said they are “not using the site anymore” following the breach.

Each record included names, email addresses and their employment histories, such as their employer and job title. The user profiles also contain information about the industry they’re seeking a job in and their current compensation in U.S. dollars.

A partial record (redacted) including a person’s name, address, phone number, job description and details of their security clearance (Image: supplied)

Many of the records also contained detailed job descriptions of their past employment, similar to a résumé.

Although some of the data was publicly viewable to other users on the site, much of the data contained personal and sensitive information, including email addresses, postal addresses, phone numbers and their approximate geolocation based off their … Read the rest