More Than 12% of Analyzed Online Stores Expose Private Backups, Study Shows

Many online stores accidentally expose sensitive data from private backups by forgetting them in public folders, a study by website security company Sansec reveals.

Internal API keys, database and internal account passwords, administrator URLs and personally identifiable information (PII) of customers are among the most critical bits of data exposed by the malpractice.

After examining 2,037 online stores of various sizes, Sansec revealed that 250 (12.3%) websites expose private ZIP, SQL and TAR backup archives on public web folders. The sensitive content could be accessed freely, risking a cybersecurity disaster.

As Sansec’s analysts point out, threat actors constantly probe for weak points by running frequent automated scans against “thousands of possible backup names.”

“The attack includes clever permutations based on the site name and public DNS data, such as /db/staging-SITENAME.zip,” reads Sansec’s security advisory. “Because these probes are very cheap to run and do not affect the target store performance, they can essentially go on forever until a backup has been found.”

The implications of exposing this type of data are colossal, as threat actors could exploit it to take over any vulnerable website. Combining secret administrator URLs, hashed staff accounts passwords, and the master database password is often enough for perpetrators to gain administrator privileges.

Sansec recommends online store owners check if any backups are left in public folders and whether they can be accessed through the store’s public URL. For any exposed backup files, site owners should follow these mitigation tips:

1. Check the logs to see if any sensitive files were downloaded
2. Check for unauthorized admin accounts
3. Enforce multi-factor authentication (MFA) for staff and administrator accounts
4. Change critical passwords such as administrator, SSH/FTP or database passwords
5. Configure your web server to prevent access to archive files