Promo.com, which is popularly known for its social media ads creation platform, went on record to disclose a data breach incident that compromised nearly 22 million of its user records. As per the initial internal investigation, the source of the data breach is linked to an existing vulnerability in Promo’s unnamed third-party service provider.
Your attack surface is a lot bigger than you think. The Promo breach serves as a reminder of the importance of vetting your third-party partners.
– Justin Heard, Director of Security Intelligence at Nuspire
Things We Know So Far…
- Promo.com team became aware of the data breach on July 21, 2020
- The data breach affected 22.1 million users of both Promo and Slidely
- A data security vulnerability in a third-party service provider caused the data breach
- No reports of financial data loss, including credit cards and billing information, were observed as Promo does not store any of this information on its servers
- The leaked data includes first and last name, email address, IP address, approximate user location based on the IP address, gender, as well as encrypted, hashed, and salted user passwords of Promo and/or Slidely accounts. Promo also informed that some hashed passwords may have been decoded into plain text
- User login via social media account was not affected
- Promo has now terminated and removed the third-party service under question
- They hired an external cybersecurity firm to further reinforce and upgrade their security measures
- As a precautionary measure, Promo requested all its users to change their passwords at the earliest
Experts Speak
Although Promo.com, in its FAQ related to the data breach, has stated that it is safe to use the platform post a password reset, this incident has yet again highlighted the gap and need of paying utmost attention towards third-party risk management.
Talking about the side angle of this attack with Justin Heard, Director of the Security Intelligence and Analytics Team at Nuspire, he pointed out that we often overlook the vulnerabilities in the expanded threat surface, i.e. the third-party services.
Heard said, “Your attack surface is a lot bigger than you think. The Promo breach serves as a reminder of the importance of vetting your third-party partners. If your third-party partners do not have equal or greater security standards, they are a security risk. As your organization grows and scales, so does your list of third-party vendors, and thus, it is in every organization’s best interest to always vet the security of their vendors.”
I recommend employing a layered approach to security. This requires advanced antivirus detection over legacy tools and educating your most important stakeholder in such a business environment – your staff.
– Justin Heard, Director of Security Intelligence at Nuspire
The added, “The overarching issue with third-party security is accountability. If your organization collects customer data or has privileged access, it is your responsibility to keep that data protected and fines should be issued if an organization fails to do so. I recommend employing a layered approach to security. This requires advanced antivirus detection over legacy tools and educating your most important stakeholder in such a business environment – your staff. Train them on what they can do to prevent such security incidents.”