A misconfigured instance of the MemberNova association management software left the personal information of "millions*" of Internet Society (ISOC) members exposed on the internet.
According to security company Clario, the data was uncovered by Bob Diachenko, an independent researcher with a knack for finding misconfigured cloud storage buckets.
In the Internet Society's case, the data was found in an open Microsoft Azure Blob repository used by MemberNova.
“The open and unprotected Microsoft Azure blob repository contained millions of files with personal and login details belonging to ISOC members and potentially putting their privacy at risk”, Clario’s Kateryna Hanko wrote.
The data leak was discovered and reported to ISOC early in December 2021, and the repository was locked down on December 15.
ISOC advised members by e-mail on December 14.
According to Clario, the size and nature of the exposed repository suggests every ISOC member was probably exposed.
What Diachenko found was a blob container named “ISOC” containing millions of Json files, including logins and hashed passwords, along with extensive personal information.
ISOC told Clario: “We have confirmed that the association management system we use was configured incorrectly by MemberNova, which made some Internet Society member data publicly accessible.
"Fortunately, we have not seen any instances of malicious access to member data as a result of this issue."
*Correction: There may have been millions of data blobs, but ISOC has contacted iTnews to say it has 80,000 members. iTnews has asked Clario for clarification.